Google recently announced that it will bolster its encryption capabilities, making it easier for website developers to protect data that is transmitted on their site. This is a huge win for data privacy advocates, but it needs to be protected against government intrusion.
Thankfully there is a piece of legislation that would do just that. A simple two-page bipartisan bill would prevent any government agency from forcing a company to provide back doors to encrypted devices or communications. The two-page Secure Data Act would protect the most intimate communications of everyday Americans.
The legislation was introduced by a very ideologically diverse set of members from both parties: Reps. Zoe Lofgren, D-Calif.; Thomas Massie, R-Ky.; Ted Poe, R-Texas; Jerry Nadler, D-N.Y.; Ted Lieu, D-Calif.; and Matt Gaetz, R-Fla. It would protect manufacturers of encrypted devices such as Apple, and app developers such as WhatsApp, from being forced to “alter the security functions” of their products amid police investigations or any other circumstance.
There is one exception the bill lays out — companies must still comply with the wiretapping rules of the Communications Assistance for Law Enforcement Act. That bill requires phone companies, Internet service providers and Voice over Internet Protocol companies, such as Skype, to build their devices and software with the capability to allow for wiretapping in the event of a proper investigation. However, CALEA still allows for end-to-end encryption to protect the communications of those who aren’t under investigation.
Data privacy advocacy groups, including the Electronic Frontier Foundation and New America, have already come out in favor of the Secure Data Act, and for good reason. As EFF’s David Ruiz put it, “This welcome piece of legislation reflects much of what the community of encryption researchers, scientists, developers, and advocates have explained for decades — there is no such thing as a secure back door.”
That hasn’t prevented lawmakers, federal law enforcement, and even some tech experts, from naively pushing for back doors to encrypted devices.
Attorney General Jeff Sessions urged Congress to take action to weaken Americans’ encryption abilities. Sessions argued, “Last year, the FBI was unable to access investigation-related content on more than 7,700 devices … Each of those devices was tied to a threat to the American people.” EFF has asked the FBI to provide proof supporting Sessions’ claim, but the agency has not done so.
Following the 2015 mass shooting in San Bernardino, Calif., the FBI attempted to force Apple to unlock the shooter’s phone. The tech company refused, arguing that creating such a back door would jeopardize the data of law-abiding users everywhere. Ultimately, the FBI was able to access that particular device without a back door. As the folks at EFF have repeatedly claimed, the FBI’s real motivation in the Apple case was to “set a legal precedent” granting the agency the power to coerce companies into weakening their encryption. Thankfully, that didn’t happen.
Since that time the Department of Justice has repeatedly called for “responsible back doors” to break encryption on devices. But there is no such thing as a responsible back door.
In the wake of the San Bernardino shooting, Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., introduced an ill-conceived anti-encryption bill, which thankfully gained no traction. The Compliance With Court Orders Act would have required tech companies to decrypt devices upon any court order to do so. Under the Secure Data Act, such court orders would carry no weight.
Shockingly, the calls for decryption haven’t come strictly from Washington. Former Microsoft Chief Technical Officer Ray Ozzie has touted his proposal to let law enforcement obtain an individualized, decrypted PIN from the manufacturer when a phone or other encrypted device is part of a criminal investigation and a warrant has been obtained. His four-step plan was lambasted by leading data security experts — including computer science professors from Columbia, Penn, and Stanford — as “yet another example of the wide gap between wishful rhetoric and technical reality.”
Robyn Greene, policy counsel and government affairs lead for New America’s Open Technology Institute said, “Ozzie’s proposal — or any proposal to intentionally weaken encryption — would threaten cybersecurity, the economy, and Americans’ privacy. The Secure Data Act would protect Americans against those dangerous policy outcomes.”
It’s a pleasant surprise to see lawmakers introduce legislation that would actually improve data security and privacy for a change. Here’s hoping this legislation can get past anti-encryption zealots in Congress, and ensure the feds or malicious hackers cannot access Americans’ most sensitive data.
Dan King is a writer and digital communications professional based in Arlington, Virginia.
