Security news that informs and inspires

House Bill Would Ban States From Weakening Encryption

As federal law enforcement agencies and some legislators continue to push for access to encrypted apps and devices, renewed efforts are underway to prevent states and municipalities from passing their own measures to hamper the design and sale of devices and software that provide strong encryption.

A group of four members of the House of Representatives have reintroduced a bill that would stop state and local governments from doing an end-run around Congress and enacting laws to weaken or ban strong encryption. The bill is known as the Ensuring National Constitutional Rights for Your Private Telecommunications Act and it’s designed to ensure that if Congress is unsuccessful in passing legislation to weaken encryption, states won’t have the ability to do so on their own. That scenario would mirror what has happened in the absence of a national data breach law, a situation that has led to inconsistent individual laws in every state and a lack of clarity for businesses.

Only, in the case of encryption systems or encrypted devices such as iPhones, it would dictate where Apple or Google or Signal could sell their products.

“Having a patchwork of 50 different mandatory state-level encryption standards creates cyber vulnerabilities, threatens individual privacy, and undermines the competitiveness of American innovators,” said Rep. Ted Lieu (D-Calif.), one of the sponsors of the bill. “Strong encryption standards are vital to protecting our nation’s security and Americans’ privacy – and cybersecurity is a national issue that requires a national response. Our legislation is a crucial step toward securing strong encryption for all Americans.”

The bill is short and to the point, with three key provisions that address the potential ways in which states might try to legislate access to encrypted devices or apps. If passed, the bill would prevent states from passing measures that force a vendor of a product or service to “design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any of a agency or instrumentality of a State, a political subdivision of a State, or the United States”.

“Robust encryption is critical for protecting the online privacy and security of all Americans."

The bill would also prevent states from instituting measures to force the creation of backdoors or other decryption methods into products or “prohibit the manufacture, sale or lease, offering for sale or lease, or provision to the general public of a covered product or service because such product or service uses encryption or a similar security function.”

The last few years have seen a renewed effort by the FBI and other law enforcement agencies to gain access to encrypted communications platforms. Those efforts date back to the early 1990s, but the newest wave coincides with the rise of apps such as Signal, WhatsApp, and others that offer strong encryption for the masses with no special security knowledge needed. The widespread availability of these apps, along with the default device encryption on iPhones and Android devices, has made it far more difficult for law enforcement agencies to access information on suspects’ devices. However, companies such as Cellebrite have stepped in to fill that void, providing custom software and hardware platforms to extract data from locked devices.

Apple, Google, Signal, and many other providers of encrypted services or products consistently have resisted calls for backdoors or other programmatic methods for accessing encrypted communications. That has not stopped those calls from coming and the House bill is meant to quiet some of that noise.

“Robust encryption is critical for protecting the online privacy and security of all Americans and it’s essential for national security. I’ve long opposed government attempts to mandate backdoors,” said Rep. Anna Eshoo (D-Calif.).