EFF welcomes backdoor-blocking US bill

Representatives of the two major political parties in the US have united to reintroduce a bill in Congress aimed at preventing the government from mandating vulnerabilities in data security technologies.

If enacted, the bipartisan Secure Data Act 2018 would stop any government agency or court order from forcing a company to build backdoors into encrypted devices and communications.

The bill includes safeguards that uphold security for both developers and users, stating: “No agency may mandate or request that a manufacturer, developer or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”

Although previous versions of the bill have failed, Republican and Democratic supporters have reintroduced the bill just days after renewed calls by the law enforcement community to tackle the “problem” of encryption.

US intelligence and law enforcement agencies have requested, required and even sought court orders against individuals and companies to build a backdoor, weakening secure encryption in their product or service to assist electronic surveillance.

In a speech at the Association of State Criminal Investigative Agencies 2018 Spring Conference on 7 May, US attorney general Jeff Sessions said: “It is critical that we deal with the growing encryption or the ‘going dark’ problem.

“And the stakes are high. Last year, the FBI was unable to access investigation-related content on more than 7,700 devices – even though it had the legal authority to do so. Each of those devices was tied to a threat to the American people.

“This is a large number, but it is small compared to the number that your agencies are unable to access because of encryption.

“That is why we are working with stakeholders in the private sector, in law enforcement, and in Congress to find a solution to this problem. Ultimately, we may need Congress to take action on this issue.”

In the UK, former home secretary Amber Rudd went on a crusade against end-to-end encryption that began after the Westminster terror attack on 22 March 2017, but she appeared to back down after discussions with WhatsApp’s owner, Facebook, and Google, Twitter and Microsoft on the issue.

In an official statement after the meeting, no mention was made of restricting encryption or requiring tech firms to provide backdoors, and the government’s apparent U-turn on the issue was widely welcomed by the security industry.

However, concerns remain among technology firms about the lack of clarity around encryption and bulk data collection in the UK government’s controversial Investigatory Powers Act, which allows the government to demand “technical” changes to software and systems.

Meanwhile, the Electronic Frontier Foundation (EFF) said the new US bill “gets encryption right” and welcomed its reintroduction to Congress.

“This legislation reflects much of what the community of encryption researchers, scientists, developers, and advocates have explained for decades—there is no such thing as a secure backdoor,” the EFF said.

The EFF said the reintroduction of the bill comes just a week after the digital rights group convened a panel of true experts on Capitol Hill to explain why government-mandated backdoors face insurmountable technical challenges and will weaken computer security for all.

“Given that the DoJ [Department of Justice] and FBI continue to rely on flawed theoretical approaches to key escrow in pushing for ‘responsible encryption’, we are glad to see some Congress members are listening to the experts and taking this important step to protect anyone who uses an encrypted device or service,” the EFF said.

According to the EFF, the bill would protect companies that make encrypted mobile phones, tablets, desktop and laptop computers, as well as developers of popular software for sending end-to-end encrypted messages, including Signal and WhatsApp, from being forced to alter their products in a way that would weaken the encryption.

The bill also forbids the US government from seeking a court order that would mandate such alterations. The lone exception is for wiretapping standards required under the 1994 Communications for Law Enforcement Act, which itself specifically permits providers to offer end-to-end encryption of their services.

The EFF added: “The Secure Data Act is thus the polar opposite of the Burr-Feinstein proposal introduced in the wake of the confrontation between Apple and the FBI in the San Bernardino case, which would have allowed sweeping court orders to require technical assistance from companies like Apple.

“We have explained before that this type of mandate is unconstitutional, likely violating the First Amendment. And, as an internal DoJ report recently demonstrated, the FBI did not need Apple’s assistance in the San Bernardino case because it had the resources at its disposal to unlock the iPhone belonging to the shooter.

“Nevertheless, the bureau did not make its capabilities known to courts, Congress and the public. Legislation like the Secure Data Act would both prevent another such fight from playing out and also head off the risk of wrong-headed legislation like the Burr-Feinstein proposal.”