Security news that informs and inspires

New Bill Takes Direct Aim at Encrypted Devices and Services

A new bill introduced yesterday in the Senate would require device manufacturers, cloud platform providers, and software makers to provide law enforcement agencies direct access to encrypted data on devices and encrypted communications services. The bill provides clear language about the way that access must work and would essentially make truly end-to-end encrypted services nearly impossible to operate.

The Lawful Access to Encrypted Data Act is sponsored by Sen. Lindsey Graham (R-S.C.) and provides the most direct challenge to the use of strong encryption for data at rest and in motion of any proposed legislation in recent years. While some other bills have made oblique references to encryption or used end-arounds to address the issue, Graham’s bill includes specific language to spell out requirements for the type of access that OS manufacturers, device makers, and cloud providers would have to provide to encrypted devices and services.

Under the provisions in the bill, when presented with a search warrant, providers would be required to assist in “decrypting or decoding information on the electronic device or remotely stored electronic information that is authorized to be searched, or otherwise providing such information in an intelligible format, unless the independent actions of an unaffiliated entity make it technically impossible to do so”.

The language concerning data in motion is similar, requiring service providers to deliver “all communications authorized to be intercepted securely, reliably, and concurrently with their transmission.”

That provision is perhaps the most worrisome from a security perspective.

"Requiring the ability to intercept and get unencrypted data "on the wire" in real time does basically mean this is the outright ban on end-to-end encryption that we have been fearing would come. Even CALEA did not go that far," said Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.

As with most legislation that attempts to weaken or outlaw certain forms of strong encryption, Graham and the cosponsors, Sens. Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.), cite the use of encrypted services and devices by terrorists, child predators, and other criminals as the motivating factor for the introduction of the bill.

“Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities. In recent history, we have experienced numerous terrorism cases and serious criminal activity where vital information could not be accessed, even after a court order was issued. Unfortunately, tech companies have refused to honor these court orders and assist law enforcement in their investigations,” Graham said in a statement.

“My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks.”

The requirements in the new bill share some charactersitics with the Communications Assistance for Law Enforcement Act (CALEA), which gave the federal government power to require telecommunications companies to modify their systems to enable wiretapping and targeted interception of communications. CALEA does not apply to information service providers.

"This is essentially 'CALEA II' but for the 'information services' (the Internet, social media, email, cloud storage, devices) that were expressly carved out from CALEA. Weirdly, though, the bill only expressly closes the encryption carve-out in CALEA; it does not acknowledge the information services carve-out, which seems to me to create a conflict between the language of CALEA and the language of this bill," said Pfefferkorn.

Graham’s bill contemplates access to both encrypted data at rest, meaning information stored on a device or other location, and data in motion, such as messages transiting Google’s or Apple’s network. The challenges of providing that access are manifold as are the problems with the reasoning behind the approach. Cryptographers and systems security experts have said for decades that the concept of a secure system is incompatible with exceptional access for law enforcement or any other select group.

"We shouldn't spend one second more debating these fictions."

“This bill is simply blind to reality. It is blind to the fact that as millions of us march in the streets and shelter in place, we've never been more dependent on secure communications and devices. It is blind to the expert consensus that there is no way to provide access to securely encrypted data without a backdoor, something that legislating a prize for a magical solution cannot change,” Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation, said.

“And it is blind to public opinion. For decades, Americans have overwhelmingly rejected government attempts to require security flaws in technology, from the Clipper Chip, to the Apple San Bernardino case, up to Senator Graham's other misguided bill, the EARN IT Act, which would allow a government task force to outlaw end-to-end encryption. We shouldn't spend one second more debating these fictions."

Another inherent limitation of a legislative approach to this issue is that the law obviously would apply only to products or services sold or operated in the United States. There are numerous secure messaging and encrypted email services based overseas that would be outside the reach of the proposed bill. There may also be conflicts between the requirements of Graham's bill and regulations in some industries such as health care regarding data security and privacy.

"This bill raises serious questions for me about how the backdoor mandate would interact with the various data-security requirements under federal regulations and many state laws. Good cybersecurity is increasingly the law of the land, and companies have faced steep penalties for data breaches and hacks," Pfefferkorn said.

Entire sectors, such as HIPAA-covered entities, have data security obligations. How is a provider supposed to both provide adequate data security to satisfy, say, the FTC and state attorneys general, when it must also backdoor its encryption?

Unlike the EARN IT Act, which does not mention encryption but would have the effect of preventing the operation of encrypted messaging services, Graham’s bill takes the issue head on. The requirements in the legislation would place a considerable burden on service providers, device makers, and other covered companies to devise access methods for law enforcement. For some services or products, the requirements could be impossible to meet. For example, the encrypted messaging app Signal is designed in such a way that the provider does not have access to the contents of users’ messages and does not hold keys to decrypt them. Four years ago, Signal had to respond to a grand jury subpoena for details of one user account.

“The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use – not user messages, groups, contacts, profile information, or anything else,” Signal creator Moxie Marlinspike said in a blog post earlier this month.

“This is because we’ve designed Signal to keep your data in your hands rather than ours. Signal uses end-to-end encryption so that we never have access to the contents of the messages you send; they are only visible to you and the intended recipients.”

The Lawful Access to Encrypted Data Act has been referred to the Senate Judiciary Committee, of which Graham is the chairman. Meanwhile, the EARN IT Act is scheduled to be discussed during a Judiciary Committee meeting Thursday.