In the last few months, we wrote an article on the EARN IT Act which attempted to put a commission in place to determine best practices but was merely a backdoor into stripping away end-to-end encryption. It is hard to imagine that another piece of legislation would pose a larger threat to end-to-end encryption than the EARN IT Act. Yet, we have a new bill to review today and it is attacking end-to-end encryption head-on.
When examining the Lawful Access to Encrypted Data Act (“LAED”), it is important to establish a basic understanding of the Act, make comparisons where necessary and discuss the ramifications the Act will have on privacy rights.
Background on the Lawful Access to Encrypted Data Act
On June 23, 2020 LAED was introduced by Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina) and U.S. Senators Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee). The bill was introduced by the senators in order to:
Bolster national security interests and better protect communities across the country by ending the use of “warrant-proof” encrypted technology by terrorists and other bad actors to conceal illicit behavior.
However, this act is not just targeting “bad actors” it is targeting tech companies. In fact, it targets any company that creates an operating system or communication system with more than 1 million active users. The bill puts the burden on these companies to build a secure backdoor for the government to access in the event of a court-issued warrant. So yes, this is targeting iPhone and Android phones, but it also by the manner in which it is written, targets Fitbits, your gaming consoles and possibly the Alexa devices you left at your grandma’s house.
The bill in its entirety can be read here, it is about 50 pages long but here are the main takeaways:
- The bill is focused on having device manufacturers and service providers assist law enforcement access encrypted data once they are presented with a warrant.
- Under the bill, the Attorney General has the power to issue directives to device manufacturers and service providers to report on their ability to comply with court orders. In this regard, a company that is issued a directive may appeal the directive in federal court. Additionally, the government bears the responsibility to compensate companies for reasonable costs incurred for complying with a directive.
- The bill also sets up an “incentive system” that awards prizes to participants (companies) who create a secure backdoor within an encrypted environment.
- The bill allocates funding for a grant program within the Justice Department’s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.
The Vulnerability of End-to-End Encryption
One of the glaring problems with the bill is how it demonized end-to-end encryption. The fact of the matter is that end-to-end encryption protects millions of people worldwide from oppressive governments, hackers and a slew of other dangers. I mentioned this in my review of the EARN IT Act but the reason end-to-end encryption works is that service providers cannot read messages sent between two parties. If you force companies to follow an arbitrary detective and create a backdoor, that same exploit can be used by hackers and other bad actors to obtain access to the information that should have been protected in the first place.
Riana Pfefferkorn wrote a compelling argument against the bill for the Center of Internet and Society at Standford Law. In her writing, she stated that while language such as lawful access to encrypted data and exceptional access only with a warrant seems limited, it’s actually very broad. She states in part:
This is a sweeping bill. “Exceptional access” is a phrase that suggests some narrow, limited concept. In truth, what this bill would require is a mandatory built-in mass backdoor for practically every device or service you use that has a computer in it or touches the Internet at any point. If it passes, this bill marks the end of strong encryption for stored data on devices; those would now be illegal to sell in America — Riana Pfefferkorn
The bill itself also provides little room for companies to deny compliance. The only standard that the bill lays out is that a company may only refuse to provide access if it would be “technically impossible”. Thus, access to private information does not turn on an ethical concern but is only limited by technology. If this is the case, the bill may as well just say outright that it will force companies to create a backdoor because there is little room for alternatives as it is currently written.
The bill makes it seem that there is no other way for law enforcement to receive actionable information. On the contrary, the U.S. legal system allows for law enforcement to receive a large amount of information through court-issued warrants. Apple for example has released iCloud backups, transactional data and account information in certain situations. In addition, the FBI and other law enforcement agencies have broken into phones and other hardware without the need for a backdoor.
What is clear however is that large tech companies and law enforcement need to find a way together. End-to-end encryption offers users privacy. Unfortunately, a small minority uses end-to-end encryption to carry out illegal acts and do terrible things. However, ending end-to-end encryption will just move bad actors to other applications. In addition, stripping away end-to-end encryption hurts U.S. companies and can impact how service providers and device manufacturers compete on a global level.
We can all push for change at different levels. Whether it is educating yourself on this bill, sharing it with your friends, or writing to your U.S. Senator and representatives.
If you would like to reach out, you can do so here: