Security news that informs and inspires

Encrypt Act Blocks States From Banning Encryption

By

What’s old becomes new again in the United States Congress. A pair of encryption bills initially introduced in Congress back in 2016 have resurfaced in the House of Representatives, but the prospects of their becoming law remain murky.

A few weeks ago, a group of bipartisan lawmakers in the House introduced the Secure Data Act to ban government agencies from mandating encryption backdoors in hardware. Another group of lawmakers have followed up with another bill, the ENCRYPT Act of 2018, to block states and local governments from compelling technology companies to create backdoors to access the secure information or to decrypt the contents of encrypted messages. The bill’s purpose is to preempt state and local governments from passing their own laws governing encryption before the federal government has a chance to do so.

“Any discussion of encryption and law enforcement access to data needs to happen at the federal level,” said Rep. Ted Lieu (D-Calif).

The Ensuring National Constitutional Rights for Your Private Telecommunications Act states that state governments many not force hardware makers or developers to “design or alter the security functions” to “allow the surveillance of any user of such product or service, or to allow the physical search of such product.” The bill also bans the states from demanding the “ability to decrypt or otherwise render intelligible information that is encrypted or otherwise rendered unintelligible.” Finally the state will not be able to ban products or services just because they use encrypted or have other security functions.

Reps. Mike Bishop (R-Mich), Susan DelBene (D-Wash), and Jim Jordan (R-Ohio) joined Rep. Lieu in sponsoring the [Ensuring National Constitutional Rights for Your Private Telecommunications Act], which is a slightly tweaked version of anolder bill with the same name. Similarly, the Secure Data Act, is a rehash of an earlier bill from 2016.

Over the years, law enforcement officials, led by the Federal Bureau of investigation, have warned that criminals and terrorists are increasingly using end-to-end encryption services and enabling encryption on their physical devices to hide their activities. Law enforcement has repeatedly pressed for a technological or regulatory response that would allow investigators to access the information. Officials have argued that not being able to decrypt messages or accessing saved information hinder investigations.

Tech companies and privacy advocates have resisted the pressure, arguing that any kind of backdoor-mechanism would inevitably weaken encryption, leaving enterprises and users vulnerable to criminals.

The earlier versions of Encrypt Act and the Secure Data Act were introduced shortly after the FBI’s public fight with Apple over unlocking the iPhone used by the suspected shooter in San Bernardino. It’s not surprising that Congress didn’t want to tackle the encryption debate at that time and left the bills languishing in committee two years ago, but the conversation hasn’t changed all that much since then. Attorney General Jeff Sessions recently told a law enforcement conference in Arizona that Congress needed to pass a law giving investigators access to warrant-proof encryption systems.

There were reports of exploratory efforts in the Senate to pass the kind of encryption-breaking legislation law enforcement is asking for, but no formal proposal have been made, yet.

“It is troubling that law enforcement agencies appear to be more interested in compelling U.S. companies to weaken their product security than using already available technological solutions to gain access to encrypted devices and services,” Rep. Lofgren said when introducing Secure Data Act.

It’s not clear if Congress has the political muscle, or even the desire, to tackle this perennial issue. While privacy and tech groups praised these bills, there is no indication that they will get enough support in the committee or to reach the House for a full vote. Considering that some states have started passing their own security-related bills (Georgia tried legislating security research recently, but the governor vetoed the bill) there is a risk that states can start passing their own encryption-based laws. The danger is winding up with a mishmash of legislation around encryption that would be a nightmare to navigate, similar to the current situation with data breach notification laws varying state by state.