“Worse Than EARN IT”: Republican’s Introduce Second Encryption Ban Bill

Republican senators are doubling down on market interference by introducing a second bill that would ban all effective encryption.

US Republican senators have launched a new initiative to massively expand the size of government and introduce a whole new layer of government market interference. In this case, they are introducing a new piece of legislation known as the Lawful Access to Encrypted Data Act. The bill represents the newest effort to ban all effective encryption and security in the country. For some, should a law like this get passed, it will destroy the tech sector from a security standpoint. As a result, it will drive away business in the country.

The bill itself is largely seen as a follow-up to the disastrous EARN IT bill. EARN IT also seeks to ban effective encryption in the country. Several organizations, recently, made efforts to raise awareness of the legislation and warn of the dangers of the legislation. That legislation has long been blasted for being a threat to a users security online.

Now, we are seeing a second effort on the part of Republican senators. From Engadget:

A trio of Republican senators have submitted a bill that seeks to bring an end to “warrant-proof” encryption. If it passes into law as is, the Lawful Access to Encrypted Data Act would compel “device manufacturers and service providers” to help law enforcement access encrypted data if that would help them carry out a warrant.

The bill — from Lindsey Graham (South Carolina), Tom Cotton (Arkansas) and Marsha Blackburn (Tennessee) — would permit the Attorney General to require those providers and manufacturers to explain “their ability to comply with court orders, including timelines for implementation.” However, the AG wouldn’t be able to tell them exactly how to include a backdoor for law enforcement to access encrypted data.

It’d also require the AG to create a competition that would reward “participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.” In addition, the bill would allocate funding for the Justice Department’s National Domestic Communications Assistance Center in order to bolster “digital evidence training for law enforcement.”

The legislation was resoundingly rejected by digital rights organizations and blasted as “worse than EARN IT”. From the Electronic Frontier Foundation:

The new Lawful Access to Encrypted Data Act—introduced this week by Senators Graham, Blackburn, and Cotton—ignores expert consensus and public opinion, which is unfortunately par for the course. But the bill is actually even more out of touch with reality than many other recent anti-encryption bills. Since January, we’ve been fighting the EARN IT Act, a dangerous anti-speech and anti-security bill that would hand a government commission, led by the Attorney General, the power to determine “best practices” online. It’s easy to see how that bill would enable an attack on service providers who provide encrypted communications, because the commission would be headed by Attorney General William Barr, who’s made his opposition to encrypted communications crystal clear. The best that EARN IT’s sponsors can muster in defense is that the bill itself doesn’t use the word “encryption”—asking us to trust that the commission won’t touch encryption.

But if EARN IT attempts to avoid acknowledging the elephant in the room, the Lawful Access to Encrypted Data Act puts it at the center of a three-ring circus. The new bill doesn’t bother with commissions or best practices. Instead, it would give the Justice Department the ability to require that manufacturers of encrypted devices and operating systems, communications providers, and many others must have the ability to decrypt data upon request. In other words, a backdoor.

The bill is sweeping in scope. It gives the government the ability to demand these backdoors in connection with a wide range of surveillance orders in criminal and national security cases, including Section 215 of the Patriot Act, a surveillance law so controversial that Congress can’t agree whether it should be reauthorized.

Worse yet, the bill requires companies to figure out for themselves how to comply with a decryption directive. Their only grounds to resist is to show it would be “technically impossible.” While that might seem like a concession to the long-standing expert consensus that technologists simply can’t build a “lawful access” mechanism that only the government can use, the bill’s sponsors are nowhere near that reasonable. As a hearing led by Senator Graham last December demonstrated, many legislators and law enforcement officials believe that even though any backdoor could be exploited by bad actors and put hundreds of millions of ordinary users at risk, that doesn’t mean it’s “technically impossible.” In fact, even if decryption would be “impossible” because the system is designed to be secure against everyone except the user who holds the key —as with full-disk encryption schemes designed by Apple and Google—that’s likely not a defense. Instead, the government can require the system to be redesigned.

Not only does the bill disregard the security of users, it allows the government to support its need for a backdoor with one-sided secret evidence, any time it feels a public court proceeding would harm national security or “enforcement of criminal law.” As we’ve seen, the government already attempts to stretch the limit of surveillance laws in secret to undermine the security of communications products. This bill would make that the norm.

What is particularly striking is the fact that this is being tabled in an environment where data breaches have practically become routine news. Organizations are constantly getting hacked and this is without backdoors being mandated. So, one can only imagine just how much the problem of data breaches will explode once a mandate to weaken security is put in place. If anything, this legislation is the exact opposite of the direction the government should be heading. Of course, American politics is completely mired in senselessness as it is, so it probably isn’t a surprise something like this cropped up in that light.

Still, a threat to users security is a threat to users security. For the sake of everyone, we can only hope that this bill dies off as well.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: