The encryption wars are back on in Congress. Here’s what’s at stake
Last week three Republican senators released a draft piece of legislation that threatens to undermine encryption, a technology that protects people’s data from prying eyes.
The bill, called Lawful Access to Encrypted Data Act of 2020, or LAED, would compel tech companies to help the government decrypt user data when ordered by a court. Federal investigators argue they require access to the content of suspects’ communications to properly do their jobs.
Many cybersecurity experts regard any attempt to introduce encryption workarounds as a “back door” that ultimately harm everyone. Hackers, spies, and rogue government agents can exploit such loopholes, undermining everyone’s security.
The recent bill proposal represents the most recent flare-up in a long-simmering conflict between law enforcement and a wide-ranging coalition that includes private sector companies and civil rights activists.
An ongoing fight
In 2016, an impasse over unlocking an iPhone used by a terrorist caused Apple and the FBI to butt heads. The FBI eventually found a way in, hiring a mercenary hacking firm to do the trick.
Since FBI director James Comey, an encryption critic, stepped down, Attorney General William Barr has stepped in to fill the void, calling for an end to, well, end-to-end encryption, an increasingly popular technique that prevents even tech companies themselves from intercepting the content of a conversation between two parties on their networks.
In October, Barr urged Facebook to halt its plans to roll out strong end-to-end encryption across its products. In January he bashed Apple for failing to help unlock a mass shooter’s iPhone, echoing the 2016 Apple vs. FBI conflict.
The conflict between government and industry has recently grown more confrontational. Now certain members of Congress have entered the fight.
Pick your poison
The new LAED bill isn’t the only anti-encryption legislation on the Hill. In March a bipartisan group of hawkish senators introduced the EARN IT Act, ostensibly designed to tackle child sexual exploitation.
The EARN IT bill leaves a government commission to create the details behind the loosely worded requirement for online security “best practices.” As this group would be spearheaded by avowed encryption-opponent Barr, most people expect the law would, in practice, thwart strong encryption, weakening people’s security.
The LAED bill takes up the issue of encryption directly, forcing companies to do decryption—though it leaves the details up to tech companies. The Electronic Frontier Foundation, a tech-minded civil rights group, calls the new bill “even worse” than its predecessor because it does not veil its anti-encryption stance.
Critics of the two recent bills believe certain politicians are attempting to get their way by presenting a false choice. The new bill “is a full-frontal nuclear assault on encryption,” writes Riana Pfefferkorn, an associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.
Pfefferkorn argues that the more recent bill, LAED, is designed to be intentionally objectionable, making the supposed alternative, EARN IT, appear “the lesser of two evils.” The double salvo is, in her view, an attempt by certain members of Congress to shift the debate to law enforcement’s benefit.
“This isn’t a Hobson’s choice that lawmakers are forced to make. They don’t have to choose between the two. They can choose to vote against both,” Pfefferkorn wrote. “The lesser of two evils is still evil.”
Though it takes a different form, the fight playing out in the legislature has roots in a policy brouhaha dating back decades.
Rehashing old debates
In the early 1990s, the U.S. government pushed for telecom companies to implant “backdoor” chipsets in phones. Smaller than the keys on a computer keyboard, the gadgets would enable federal investigators to wiretap calls, in the name of national security, should the (court-approved) occasion arise.
Everyone from phone companies and computer manufacturers to cryptographers and civil liberties activists objected, vehemently. The opposition argued such a mandate would sink America’s ever-rising IT industry, making the country’s tech uncompetitive.
Among the opponents’ fears were hackers exploiting the system, government overreach and abuse, and general ineffectiveness. Anyone seeking greater privacy—criminals, especially—could simply resort to other, more strongly encrypted means of communication.
When the Clinton administration endorsed the plan, a public outcry ensued. Then an AT&T researcher exposed a severe security vulnerability in the chip’s setup. Renegade coders soon released free encryption software to the public, offering military-grade secrecy to anyone with an Internet connection.
By 1996 the White House abandoned the proposal; however, the government continues to put forward variations on the theme.
What’s old is new
Since the days of the so-called Clipper chip, America has grappled with its need to balance national security with protecting the public’s security and privacy. After each skirmish, the government adapts and changes its tactics.
Instead of requiring tech companies to adopt a particular prescribed system—however flawed, like the Clipper chips—the latest draft legislation, LAED, leaves the implementation details for others to figure out. Most cybersecurity and cryptography experts agree that no adequate solution exists, that any loopholes in encryption can be abused by bad actors.
Despite the different circumstances between today and yesterday, many of the same arguments still apply. If encryption is weakened for one person or group—so that law enforcement can prosecute criminals, say—it’s weakened for everyone. Spies and hackers will stop at nothing to exploit any chinks in the armor, cybersecurity experts contend.
If any of the recent anti-encryption bills become law, it will put tech companies in an awkward position. When authoritarian regimes in regions where they operate ask for the contents of communications of political dissidents, or any people regarded as suspicious by the state, the firms will have little choice but to comply, or else risk being booted from such markets.
Right now, many tech companies keep in good graces by telling all governments the same thing: They abide by the laws of the regions in which they operate, and they can supply only information they have access to. For many companies, including chat app makers like Facebook-owned WhatsApp, this includes call metadata, meaning who talked to whom when, but not the content of conversations.
Echoes of the past
As in the past, anyone seeking more protections for their communications can find it elsewhere. If not in free online software, then in tech provided by companies headquartered abroad.
To see how this might play out, look no further than Russia, which recently walked back a ban on Telegram, an encrypted messaging app, because it couldn’t keep it out of people’s hands.
Opening a hole in encryption in America could allow challengers abroad to step up. The move may, in effect, enfeeble America’s technology sector and, worse yet, leave the root problem—investigating terrorism, child predation, and criminality—unresolved as wrongdoers flock to alternative products.