A group of lawmakers from both parties have introduced a new bill in the House of Representatives that would ban government agencies from mandating encryption backdoors in hardware or software products.
The measure contains perhaps the strongest language yet in any proposed law regarding encryption and government surveillance. Introduced by Rep. Zoe Lofgren (D-Calif.) and Rep. Thomas Massie (R-Ky.), the Secure Data Act leaves essentially no room for interpretation and would prohibit the government from forcing manufacturers to compromise the encryption in their products.
The bill says “no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”
The introduction of the Secure Data Act comes at a time when there is increasing pressure from law enforcement agencies in the United States and abroad on technology providers to find a way to provide so-called exceptional access to encrypted devices and communications. The problem is a decades-old one, but as manufacturers such as Apple and Google have moved to make their devices encrypted by default in recent years, it has become more of an issue. The increased popularity of encrypted messaging apps such as Signal and WhatsApp have added to the conflict, too.
“Encryption backdoors put the privacy and security of everyone using these compromised products at risk,” said Lofgren. “It is troubling that law enforcement agencies appear to be more interested in compelling U.S. companies to weaken their product security than using already available technological solutions to gain access to encrypted devices and services. Congress must act to protect the products available to Americans that keep their personal information safe from warrantless surveillance and hackers intent on breaching their data.”
The Secure Data Act would prohibit encryption backdoors in hardware, software, or electronic devices that are available to the general public. The bill includes a clause that prohibits agencies from using court orders to insert backdoors, as well.
“Backdoors in otherwise secure products make Americans’ data less safe."
“No court may issue an order to compel a manufacturer, developer, or seller of covered products to design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by an agency,” the bill says.
Services that use end-to-end encryption and devices that encrypt stored data by default have become serious obstacles for both intelligence and law enforcement agencies and there have been several public disputes in recent years over the government’s inability to access seized devices or decrypt communications. The most notable example was the disagreement between Apple and the FBI in 2016 over an encrypted iPhone used by a terrorist. The FBI went to court in an attempt to force Apple to create a backdoored version of iOS that could be loaded onto the phone. Apple had refused and the FBI eventually dropped the court case after it found an outside forensics firm that could unlock the device.
Civil liberties groups say the Secure Data Act could be a major step forward in protecting users’ rights to secure communications.
“This welcome piece of legislation reflects much of what the community of encryption researchers, scientists, developers, and advocates have explained for decades—there is no such thing as a secure backdoor,” David Ruiz of the EFF wrote.
Massie said any attempts to weaken encryption weaken the security of everyone who uses those products.
“When the government forces companies to insert security backdoors in their products, they make Americans less safe,” said Massie. “Backdoors in otherwise secure products make Americans’ data less safe, and they compromise the desirability of American goods overseas.”