Crypto Fight: US Lawmakers Seek Freedom From Backdoors'Secure Data Act' Tries to End Long-Running Encryption Standoff
A bipartisan group of U.S. lawmakers reintroduced legislation in the House of Representatives on Thursday that would stop the government from forcing software vendors to intentionally weaken their products for surveillance purposes.
See Also: DevOps - Security's Big Opportunity
If it becomes law, the Secure Data Act of 2018 would likely end the passionate "going dark" debate, which has pitted law enforcement against the technology industry.
Many top law enforcement officials contend that the increasing use of encryption in software products has made it difficult or impossible to access information that investigators require to better protect the public.
The introduction of the legislation marks the third attempt by lawmakers in the past four years to gain traction for such a law. The same bill was introduced in the Senate in 2014 and the House in 2015.
The bill's backers say their impetus for passing such a law has not changed. "Encryption backdoors put the privacy and security of everyone using these compromised products at risk," says bill co-sponsor Rep. Zoe Lofgren, D-Calif..
"It is troubling that law enforcement agencies appear to be more interested in compelling U.S. companies to weaken their product security than using already available technological solutions to gain access to encrypted devices and services," Lofgren says.
Other House lawmakers co-sponsoring the bill are Thomas Massie, R-Ky.; Jerrold Nadler, D-N.Y; Ted Poe, R-Texas; Ted Lieu, D-Calif.; and Matt Gaetz, R-Fla.
Their effort has earned plaudits from digital rights groups, including the Electronic Frontier Foundation, which on Thursday said that the bill "gets encryption right."
The EFF's David Ruiz says in a blog post: "This welcome piece of legislation reflects much of what the community of encryption researchers, scientists, developers and advocates have explained for decade - there is no such thing as a secure backdoor."
The move by technology vendors to strengthen data protections in their products has been fueled by ever-increasing cybercrime, hacking efforts sponsored by nation-states, and the scale of the mass surveillance programs being conducted by the U.S. and U.K. governments, as revealed in 2013 by former National Security Agency contractor Edward Snowden.
Messaging products such as Facebook's WhatsApp, Signal and Apple iMessage use end-to-end encryption. The key to decrypt the messages a user shares gets stored only on a user's device.
"There is no such thing as a secure backdoor."
—David Ruiz, EFF
This approach means that law enforcement and intelligence agencies cannot obtain the key from the service provider because the provider doesn't possess it. Even with a valid warrant, law enforcement would need to obtain the suspect's passcode in order to read the content. Absent the passcode, investigators could try other methods, such as targeting unpatched software vulnerabilities.
Law enforcement agencies have also been using services from Cellebrite, an Israeli firm that used an unknown method to enable the FBI to unlock the San Bernardino shooter's iPhone.
An Atlanta-based firm called GreyKey has also been selling a small device to law enforcement agencies and researchers that can reportedly unlock some iPhones, although such efforts could take several days or longer.
Apple Likens Backdoors to Cancer
The technology industry strongly opposes making their products weaker, whether via introducing backdoors, keeping copies of decryption keys, or developing software that would undermine security protections. In 2016, Apple CEO Tim Cook said building such software for its mobile devices would be the equivalent of creating "cancer."
The FBI took Apple to court in an attempt to force the company to come up with software that could defeat security protections in the iPhone 5 of San Bernardino shooter Syed Rizwan Farook, who died in a gun battle. The government dropped the case, however, after Cellebrite enabled it to access the device without endangering its data (see FBI Unlocks iPhone; Lawsuit Against Apple Dropped).
But the bureau's move left unresolved the legal question of whether the government has the power to compel developers to essentially break their own software.
The government's decision to take Apple to court came into question last month. The Justice Department's Inspector General Office found that the FBI appeared to not have fully exhausted technical options for unlocking Farook's phone before going to court. The Inspector General recommended that the FBI should improve coordination and communication in high-profile incidents, according to the IG's report.
Other countries have also been ratcheting up the pressure on technology companies, which could set the stage for further legal challenges to their use of crypto.
The U.K.'s Investigatory Powers Act, passed in 2016, allows authorities to issue a "technical capability notice" to service providers that compel them to remove electronic protections. Australia is also considering similar legislation, but the government maintains that its intention is not to legislate backdoors.
The Encryption 'Problem'
The encryption debate remains on the front burner. On Monday, U.S. Attorney General Jeff Sessions contended that "the stakes are high" with the growing encryption "problem."
"Last year the FBI was unable to access investigation-related content on more than 7,700 devices - even though they had the legal authority to do so," Sessions told the Association of State Criminal Investigative Agencies 2018 Spring Conference in Scottsdale, Arizona. "Each of those devices was tied to a threat to the American people."
Sessions says the Justice Department is trying to find a solution. "Ultimately, we may need Congress to take action on this issue," he says.
Tech Giants Slam Backdoors
As the U.S. government has continued it press for weak crypto, technology giants have continued to respond.
Last month, the Reform Government Surveillance coalition - comprising Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Oauth, Snap and Twitter - said it would continue to push for the right to protect users via strong encryption and to battle attempts to provide "exceptional access" for law enforcement purposes.
"Recent reports have described new proposals to engineer vulnerabilities into devices and services - but they appear to suffer from the same technical and design concerns that security researchers have identified for years," the group says in a statement. "Weakening the security and privacy that encryption helps provide is not the answer."
The group added: "Governments should avoid any action that would require companies to create any security vulnerabilities in their products and services."
Executive Editor Mathew Schwartz contributed to this report.