In the wake of two nearly identical state bills proposed within the last few weeks by state legislators in California and New York, a couple of congressmen have banded together to introduce a new federal bill aimed at thwarting state-level efforts to ban and degrade encryption.
The new federal bill, which was introduced by California Democratic Congressman Ted Lieu and Texas Republican Congressman Blake Farenthold, is called the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,” which is perhaps easiest to refer to as ENCRYPT. In its entirety, the bill reads as follows:
A State or political subdivision of a State may not mandate or request that a manufacturer, developer, seller, or provider of covered products or services—
(1) design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency or instrumentality of a State, a political subdivision of a State, or the United States; or
(2) have the ability to decrypt or otherwise render intelligible information that is encrypted or otherwise rendered unintelligible using its product or service.
Speaking to Ars Technica over the phone on Tuesday, Lieu said that it’s “very clear” to him “that the people who are asking for a backdoor encryption key do not understand the technology” and that such a backdoor key for law enforcement would eventually get found by hackers “or the FBI will let it get stolen.”
It’s very clear to me that the people who are asking for a backdoor encryption key do not understand the technology […] You cannot have a backdoor key for the FBI. Either hackers will find that key or the FBI will let it get stolen.
“You cannot design a technological backdoor only for the good guys, because hackers will eventually find that backdoor, or what’s more likely is the federal government will get hacked through that backdoor,” Lieu was quoted by Wired as having explained.
As for whether or not forcing manufacturers of encryption employing devices such as iPhone manufacturer Apple–who has notably fought the U.S. government to protect encrypted user data–and Galaxy maker Samsung to install government backdoors might help thwart the efforts of terrorists to conduct an attack, Lieu stated that there isn’t “a single shred of evidence” in support of the notion that such a backdoor “would have prevented any terrorist attack”.
Wired‘s Brian Barrett referred to state-level imposed decryption mandates upon companies as not only “wildly impractical” but “entirely unenforceable.” In support of his claims, Barrett quoted by Electronic Frontier Foundation attorney Andrew Crocker as having said that “it seems pretty impossible for states to control the flow of software and cellphones in and out of the state.”
It’s particularly bad for states to legislate something like this. Their power only extends to their borders, so if you required Apple to sell cellphones in California that were decryptable you could just go to Oregon, or Connecticut and get one that wasn’t […] You start to play out how it would work, and it seems pretty impossible for states to control the flow of software and cellphones in and out of the state.
On the other side of the fence, law enforcement officials have argued in favor of an encryption backdoor to be used in circumstances in which a court order authorizes them to lawfully access information contained within a device. The International Association of Chiefs of Police (IACP) released a report in 2015 in which, among other things, they clarified their intent as they wrote:
To be clear, the law enforcement community is not asking for new surveillance authorities above and beyond what is currently provided by the U.S. Constitution or by lawful court orders, nor are we attempting to access or monitor the electronic communications of all citizens. Law enforcement simply needs to be able to lawfully access information that has been duly authorized by a court in the limited circumstances prescribed in specific court orders—information of potentially significant consequence for investigations or serious crimes and terrorism.
Previously, Immortal News reported on the discovery of a vulnerability derived from the U.S. government’s regulation of encryption contained within products shipped overseas. The fed’s regulation of such products, which established an export-grade encryption standard, resulted in the existence of a vulnerability in Apple’s Safari and Google’s Android web browsers that left users exposed since the 1990s.