The proposed EARN IT Act set off a firestorm of controversy in privacy circles when it was introduced in early March. A new proposal makes its terms look tame and reasonable by comparison. Dubbed the “Lawful Access to Encrypted Data Act of 2020”, the new anti-encryption law would require that a backdoor be placed in nearly every electronic device that has at least 1 GB of memory and all encrypted services.
The bill is essentially the Armageddon scenario of a complete government ban on encryption that some privacy advocates have been fearing (and sounding alarms about) for years. However, the terms of the bill are so outlandish and impractical that it would appear to stand little real chance of going anywhere. When one considers that it is sponsored by Senator Lindsey Graham (R-SC), who was also one of the primary sponsors of the EARN IT Act, it begins to look more like an attempt to make the original proposal sound like a comparatively reasonable compromise.
From “EARN IT” to “backdoors everywhere”
The EARN IT anti-encryption law couched its calls for law enforcement backdoors in terms of the battle against child sex trafficking, and was not nearly as expansive as the new proposal. It was nevertheless widely criticized and rejected by privacy advocates due to its requirement that online platforms either grant law enforcement an encryption backdoor or lose legal protections under Section 230 of the Communications Decency Act. Section 230 protects platforms from legal liability for user-generated content.
The bill did not propose this directly, however; it obscured its intent by simply requiring that platforms use “law enforcement approved” end-to-end encryption methods to maintain their Section 230 protections. The body that would determine that approval would be headed by Attorney General William Barr, who has vocally and repeatedly expressed a desire to have backdoors installed in all forms of end-to-end encryption, and would be disproportionately filled with law enforcement officials. The assumption that privacy advocates make is that any “law enforcement approved” encryption would have backdoors in it.
The new proposed anti-encryption law dispenses with any layers of plausible deniability. It simply calls for a law enforcement backdoor to be mandatory in any and all forms of encryption, in both hardware and software. Any sort of device that has at least 1 GB of storage capacity, even a simple handheld camera or MP3 player, would be required to have a means of government access built in. At the software end, everything from web browsers to cloud services would have to offer similar access.
Unlike the EARN IT Act, this bill is not bipartisan. In addition to Graham, two other Republican senators (Tom Cotton of Arkansas and Marsha Blackburn of Tennessee) back it. The terms would apply to any software publisher that has over a million users, or any hardware manufacturer that sells over a million units, in any single year since the start of 2016.
The bill is thus technically not looking to end all encryption entirely, but it is clearly trying to make it impossible for major hardware and software publishers like Apple, Facebook and Microsoft. Given that Google’s Android and iOS devices dominate the phone landscape, it would effectively be impossible for an end user to get a phone that could avoid having a backdoor in it somewhere.
The terms of the bill would also make it much easier for courts to issue a court order allowing law enforcement to access the backdoor for the purpose of retrieving stored data. Any judge would be forced to issue the warrant so long as the law enforcement agency can demonstrate “reasonable grounds to believe” that accessing the backdoor would aid in execution of an existing search warrant.
The anti-encryption law would appear to apply to both domestic criminal cases and those of foreign national security.
The proposed anti-encryption law is likely to stall out not just due to the serious privacy concerns, but also because it would put an undue burden on the electronics and software publishing industries. All sorts of hardware would have to be physically redesigned to enable such a backdoor, and apps would have to be re-engineered. Any new app or piece of software being developed would have to consider the possibility of creating a backdoor if it is anticipated that it will have over a million users.
The anti-encryption law does not make any allowance for the fact that any backdoor could potentially be exploited by parties other than the government. If it is technically possible to create one, developers and manufacturers would be required to under the new anti-encryption law.
But as privacy advocates have been pointing out (long since before this new bill was introduced), it is not feasible to create an encrypted messaging backdoor that is solely for law enforcement access. Once a threat actor sniffs it out and figures out how to exploit it, the device or the software is effectively ruined.
Amit Yoran, CEO of Tenable, summed up the feelings of most industry observers: “Once again, some Washington policymakers are proposing uninformed technology policy with potentially catastrophic consequences. In one of the worst tech policy concepts of recent years, this proposal would strike a critical blow to privacy, cybersecurity and the competitiveness of US technology companies, all while leaving strong encryption within reach of any serious criminal. Law enforcement has access to more information than ever before to do their jobs. Forcing the creation of backdoors to allow law enforcement access to encrypted information is a terrible idea. With an expanded attack surface driven by new connected devices, a rapidly expanded remote workforce and increasingly complex campaigns by bad actors, we should be doing everything in our power to mitigate risk, not expand it.”
Technology companies would likely enter into an endless cycle of compromise and revision under these circumstances, with it only being a question of how long it is between each new data breach of their encrypted devices.
Given all of the problems and contradictions this anti-encryption law would create, it seems unlikely to make its way through Congress. The real concern is that it could somehow be used to improve the chances of passage of the EARN IT Act, which has at least some level of bipartisan support.