Spartak - Fotolia
The US state of New York is proposing legislation that will require technology firms to allow back door access to devices and decryption capabilities to law enforcement agencies.
While the US federal government has shied away from such a controversial move, the state’s proposed bill requires any smartphone made after 1 January 2016 and sold or leased in New York to be capable of being decrypted and unlocked by its manufacturer or its operating system provider.
If the bill is enacted, anyone selling or leasing a smartphone that fails to comply with this requirement will face a fine of $2,500 per device.
The bill was formally introduced by assemblyman Matthew Titone in June 2015, but was referred to committee only in the first week of January 2016, according to The Next Web.
According to the proposed bill, “passcode-protected devices render lawful court orders meaningless and encourage criminals to act with impunity”.
The move comes despite strong opposition to weakened encryption or back doors by the world’s largest technology firms, which have also raised concerns on the issue relating to the UK’s proposed Investigatory Powers Bill.
In November 2015, the Information Technology Industry Council (ITI) – which represents more than 60 technology companies including Google, Apple, Microsoft, Intel and Facebook – said in an open letter to US president Barack Obama that it opposes “any policy actions or measures” by the federal government that would undermine encryption technologies.
“Encryption is a security tool we rely on everyday to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks and to otherwise preserve our security and safety,” said ITI president and chief executive Dean Garfield.
Read more about encryption
- A report from US district attorney Cyrus Vance claims the encryption of data on mobile operating systems has had severe consequences for public safety.
- The Wikimedia Foundation calls on all sites to join its move to encrypt all connections by default.
- Seven more security suppliers join Blue Coat encrypted traffic management programmeamid fresh warnings of attackers using encryption to hide malicious activity.
“We deeply appreciate law enforcement's and the national security community’s work to protect us, but weakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy. Weakening security with the aim of advancing security simply does not make sense.”
The letter was issued a day after Manhattan district attorney Cyrus Vance released a report calling for access to encrypted data on smartphones.
The report criticised Apple and Google for their decision to implement data encryption on their iOS and Android mobile operating systems, claiming “severe” consequences for public safety, and calls for smartphones to be made subject to search warrants that could compel Apple and Google to unlock encrypted data held on the device.
In light of the fact that the US federal government does not seem keen to introduce legislation requiring technology companies to design smartphone operating systems with weaker encryption, it appears New York is considering going it alone.
The proposed bill has yet to be voted on by the state assembly and senate, but is unlikely to get any support from the federal government.
Tech firms seek clarity
In March 2015, president Obama criticised China over a proposed counter-terrorism law that would require technology firms that want to trade in China to share their encryption keys and put backdoors in their software.
In a joint submission to the Joint Committee on the draft Investigatory Powers Bill inquiry, Facebook, Google, Microsoft, Twitter and Yahoo have called for greater clarity around encryption, saying it is a fundamental security tool that is important to the security of the digital economy – as well as crucial to ensuring the safety of web users worldwide.
Read more about backdoors
- Multiple Wi-Fi routers are reportedly vulnerable to backdoor attacks.
- Apple has denied working with the US National Security Agency to create a backdoor in any of its products.
- D-Link has begun releasing security patches to close the backdoor discovered on some of its routers.
- Rampant backdoors in enterprise IT products too often provide unauthorised access toattackers and governments.
“We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption or any other means. We therefore have concerns that the bill includes ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’, and that these are explicitly intended to apply extraterritoriality with limited protections for overseas providers,” they said.
In the light of statements by home secretary Theresa May, that the bill is not intended to weaken the use of encryption, the technology firms suggest that the bill expressly state that nothing in the bill should be construed to require a company to weaken or defeat its security measures.
Giving oral evidence to the joint committee on 13 January 2016, the home secretary said there were no plans to change the legal rule about encryption or to require service providers to hand over private encryption keys.
“When a warrant is lawfully served on them there is an expectation of them that they can take reasonable steps on that warrant,” she said.
That meant internet and phone companies should provide data in a form law enforcement and security services can read, she said. “We are not saying to them to give us keys to their encryption.”
This approach appears to be consistent with current thinking in the US, where the government is working with service providers to find a way of accessing the information needed by law enforcement and counter terrorism officers without resorting to back doors or weaker encryption.