Sophos Cloud Optix
New York wants crypto backdoors in mobile phones.
California wants crypto backdoors in mobile phones.
At least some lawmakers in Washington want states to knock it off.
Rep. Ted Lieu (D-Calif.) and Rep. Blake Farenthold (R-Tex.) on Wednesday introduced a bipartisan bill in Congress that tries to halt states’ attempts to force phone makers to weaken encryption by putting in crypto backdoors.
The bill is called the Ensuring National Constitutional Rights of Your Private Telecommunications Act.
Its less cumbersome title: The ENCRYPT Act of 2016.
The proposed law seeks to prevent any state or locality from mandating that a “manufacturer, developer, seller, or provider” design or alter the security of a product so it can be decrypted or surveilled by authorities.
This won’t be the only encryption bill that Congress will mull this year. On the other side of the encryption debate, Sen. Dianne Feinstein (D-CA), along with Sen. Richard Burr (R-NC), have plans to bring a bill to the Senate that would require companies to pierce encryption under court order.
The crypto wars have been fueled by recent terror attacks in Paris and San Bernardino, California, with district attorneys and other law enforcement officials urging lawmakers to force companies like Apple and Google to hand over encrypted data on demand.
FBI Director James Comey brought up a case in point on Tuesday, when he said that encryption has prevented federal investigators from unlocking a mobile phone belonging to one of the San Bernardino killers.
Still other lawmakers – Michael McCaul (R-Texas) and Sen. Mark Warner (D-Va.) – are working to establish a national commission to figure out how police can get at encrypted data without endangering Americans’ privacy.
Lieu told Ars Technica that The ENCRYPT Act of 2016 was inspired by the anti-encryption attempts by New York and his home state, California.
When the New York state legislator introduced the bill, I was somewhat concerned – but he was a Republican in a Democratic legislature. But when a Democratic state legislator introduced a similar bill, then I got very concerned. I’m very aware that it’s controlled by Democrats, and he could very easily get his bill passed.
It’s not that Lieu doesn’t respect the need for law enforcement to solve crimes, he said. But he does question whether the people who would undo encryption know what harm it would cause:
It’s very clear to me that the people who are asking for a backdoor encryption key do not understand the technology. You cannot have a backdoor key for the FBI. Either hackers will find that key or the FBI will let it get stolen. As you saw, it the [Department of Justice] just got hacked. The [Office of Personnel Management] got hacked multiple times. If our federal government cannot keep 20 million extremely sensitive security records, I don’t see how our government can keep encryption keys safe.
A recent study published by the Berkman Center for Internet and Society questioned assertions from law enforcement that encryption is making surveillance “go dark.”
Rather, the authors suggested, the increasing number of IoT devices present ever-more opportunities for surveillance.
Lieu told Ars that he doesn’t fault law enforcement from seeking to poke holes in encryption: they want “as many tools as they can to catch the bad guys.”
But as Lieu said during a congressional hearing last year, backdoors don’t constitute a smart tool:
It is clear to me that creating a pathway for decryption only for good guys is technologically stupid, you just can’t do that.
Image of Phone encryption courtesy of Shutterstock.com
All the yes!! We need the ENCRYPT Act to pass in the highest level of US government!! All this nonsense about backdooring encryption protocols completely negates the usefulness of encryption in the first place. I don’t care if the breaches at OPM and DoJ hadn’t happened. It /can/ and /will/ happen, because people are human and make mistakes, or for one reason or another reveal the backdoor key to someone they shouldn’t have. We are human, and we are the weakest link in the chain of security. Keep cryptographic keys out of human hands, and it makes it that much less likely that the data can be decrypted.
If we start putting backdoors in encryption, what’s to stop those protocols from being used to protect proprietary, actually-important-to-keep-confidential data such as health records or military plans?
Typical of our legislators here. They only know scare tactics and lack common sense. Especially Diane. It’s too bad they can’t get at the phone data, but life’s a ‘b***h’ sometimes. I was an officer and know that you don’t always get the bad guy, contrary to the ‘movie rules apply’ shows. To trade all of our security on that is mindless. We all know what happened to the ‘back door’ scheme. If they can get in, anyone can get in.
“Still other lawmakers – Michael McCaul (R-Texas) and Sen. Mark Warner (D-Va.) – are working to establish a national commission to figure out how police can get at encrypted data without endangering Americans’ privacy.” McCaul, Warner, and others trying to “figure” this out need to understand that those two goals are mutually exclusive.
OK here’s a take, why not just give law enforcement the encrypted data? It’s encrypted isn’t it? If the manufacturers encryption is up to snuff and you made the personal choice to enable it and use the best option available (unique complex password), then all they’re getting is shredded cabbage, which will take them years to decrypt. Now pundits will say just by giving this over to the authorities violates this that or the other thing. If you’ve done your homework and used the best options available on your device then, the data will remain safe and secure until long after you’ve shed your mortal coil.
I think the authorities’ point is, they have the encrypted data on the device, but they want/need Apple/Google/Microsoft to decrypt it for them so they can have that decrypted data to use as evidence.
Problem (for them) is, Apple isn’t saying that they WON’T do it.
Apple is saying that they CAN’T do it. They literally don’t have the ability to comply with the DOJ demands, because they don’t have the encryption keys.