Do you own your data? Is it private? Or are you happy to let someone sneak in the backdoor? Governments have long argued that they require the magic key to access data on encrypted devices in order to combat new threats that are emerging. It’s no secret that players with malicious intent are using encrypted devices to communicate. Government says that they are acting for ‘the greater good’ when they request a encryption backdoor to that data. However, there is a problem with this logic. They may very well be acting in a manner that will protect their electorate – but it also means that those players with malicious intent also can pry open that encryption backdoor. However small the chance – it does exist.
It’s a fine line.
And that line is drawn in the sand. Sand that is continually being eroded by the relentless tide of government concerns around access to encrypted devices. The situation is further complicated by the fact that each of the states in the U.S. has its own legal framework surrounding the ability of the state to force a manufacturer developer or seller to build encryption backdoors in their devices. This may have led to some players overstepping that line in the sand.
In a rare example of bipartisan cooperation, Republicans and Democrats have banded together to propose the ENCRYPT Act (Ensuring National Constitutional Rights for Your Private Telecommunications) which would stop any government agencies from demanding that “a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.” It is meant to preempt state and local government efforts to implement disparate policies around backdoors to encrypted devices. In essence a national standardized policy.
The bill also requires that “no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”
But the conversation surrounding the necessity for a secure data act is more complicated than it may appear on the surface. There are two schools of thought about encryption and backdoor access.
Encryption backdoor – A difference of opinion
In 2017 U.S. Deputy Attorney General Rod Rosenstein argued that “Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.”
His stance was that “responsible encryption” would solve the problem. “Responsible encryption” he claimed could “involve effective, secure encryption that allows access only with judicial authorization.”
This is all well and good. In an ideal world where malicious players are not continually probing for weaknesses in an encryption backdoor the idea has merit. Unfortunately, we do not live in an ideal world. If law enforcement can bypass encryption, that encryption backdoor can be exploited by anyone else. A malicious player would only have to discover the bypass to gain the same access as law enforcement agencies.
Organizations such as The Internet Society disagree with the idea of “responsible encryption”.
Mark Buell, North American Regional Bureau Director of the society went on record as saying that strong encryption is essential for an individual’s security, not a barrier. In his words “It makes everyone more secure from threats from criminals, terrorists, and other adversaries. Weakening encryption may seem like an attractive option, a quick fix to a real security challenge.”
They are not alone in this opinion.
Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies commented, “The re-introduction of legislation to not force technologies to implement security backdoors is an unfortunate necessity. Undoubtedly any backdoor that is introduced will be available to both law enforcement and bad actors alike, collectively making us less secure.”
The challenge of national policy
But there is another challenge that faces law enforcement and government regulators in the U.S. This is the fact that there is no national policy regarding encryption backdoors.
The current regulatory framework regarding encryption backdoors and just how law enforcement and other players can co-opt that framework is causing headaches for both device manufacturers and law enforcement. As it stands, each state has its own framework for how its law enforcement representatives can access encrypted information. This situation has been characterized as a “patchwork system” by lawmakers, including Jim Jordan (R-Ohio). He commented; “Encryption exists to protect us from bad actors and can’t be weakened without also putting every American in harm’s way. We know federal agencies have abused warrantless surveillance in the past.” He noted that “the current patchwork system for encryption makes it easier for further abuses of the system and increases the problem by creating potential opportunities for abuse by third party actors.”