Three Republican senators have introduced legislation that would require smartphone-makers and other tech companies to give law enforcement agencies access to encrypted communications or devices if ordered to do so by a court.
The controversial new Lawful Access to Encrypted Data Act, introduced in June by Sens. Lindsey Graham of South Carolina, Tom Cotton of Arkansas, and Marsha Blackburn of Tennessee, is intended to help police investigate terrorism, money laundering, child pornography, and other crimes. The sponsors argue that criminals often use encryption to hide their illegal activities from investigators.
“Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities,” Graham, chairman of the Senate Judiciary Committee, said in a statement.
In recent years, investigations of “numerous” terrorism and criminal cases were hampered because vital information was hidden behind encryption — with tech companies refusing to honor court orders that require them to disclose the information, Graham added. “My position is clear,” he said. “After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations.”
Cybersecurity experts and digital rights groups almost universally denounced the legislation, saying the bill would create holes in encryption that cybercriminals could exploit. The bill would “effectively outlaw encryption,” the Electronic Frontier Foundation said.
Because of the controversy, the bill is unlikely to pass this year, but sponsors may use it to push the encryption debate in the coming years.
Encryption only works when there’s no backdoor, said Caleb Barlow, CEO of CynergisTek, a cybersecurity firm focused on the healthcare industry. “The minute you have a backdoor, you break the integrity of the entire system,” he added.
While device encryption may limit law enforcement investigations in some cases, there are other ways for police to investigate crimes, Barlow said. “There is no shortage of signals intelligence that can be leveraged by law enforcement or intelligence agencies for legitimate use,” he said. “There are some historical tools that are going dark as encryption becomes pervasive, but we all need to recognize that this is one of the trade-offs of a free society. As one technology goes dark, another tool that can be used to identify aberrant behavior emerges, so this is all a balance.”
It’s unclear how many law enforcement investigations are stymied by encryption.
In December, New York County District Attorney Cyrus Vance Jr. told the Senate Judiciary Committee that his office encounters about 600 locked and encrypted Apple devices each year, with about half of them connected to violent crime investigations. But law enforcement agencies have also been able to defeat encryption in several cases. News reports suggested that the FBI was able to break the encryption on two Apple iPhones owned by a Saudi military trainee who killed three U.S. sailors in a 2019 terrorist attack at the Naval Air Station in Pensacola, Florida.
The Republican bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant. It also allows the U.S. attorney general to require device-makers to detail their ability to comply with court orders.
The bill also directs the attorney general to create a prize competition to award participants who create a lawful access method to encryption while “maximizing privacy and security.”
The push to give law enforcement agencies access to encrypted devices and communications are understandable given that terrorists, drug dealers, child predators, and other criminals use encryption, said David Kennedy, a former hacker at the NSA and CEO of TrustedSec, a cybersecurity vendor that trains the U.S. military’s cyber protection teams.
The encryption debate is complex and needs to go beyond emotional appeals to give police access. Kennedy acknowledged that widely available encryption has made it more difficult for police to do their jobs, but backdoors aren’t the answer, he said.
An encryption backdoor would raise concerns about government surveillance, threats to journalists and activists from repressive regimes, and criminal or state-sponsored hackers’ ability to target highly sensitive accounts, Kennedy added.
“A technology company can’t give special access to one government without creating a backdoor that could be used by other governments, intelligence agencies, malicious third-parties, and hackers,” he said.
“If you create a backdoor, that backdoor then exists — and anyone with the means to do so can exploit it.”
