The Senates New Anti-Encryption Bill Is Even Worse Than EARN IT, and Thats Saying Something

Right now, we rely on secure technologies like never beforeto cope with the pandemic, to organize and march in the streets, and much more. Yet, now is the moment some members

of the Senate Judiciary and Intelligence Committees have chosen to try to effectively outlaw encryption in those very technologies.

The new Lawful Access to Encrypted Data Actintroduced this week by Senators Graham, Blackburn, and Cottonignores expert consensus and public opinion, which is unfortunately par for the course. But the bill is actually even more out of touch with reality than many other recent anti-encryption bills. Since January, weve been fighting the EARN IT Act, a dangerous anti-speech and anti-security bill that would hand a government commission, led by the Attorney General, the power to determine best practices online. Its easy to see how that bill would enable an attack on service providers who provide encrypted communications, because the commission would be headed by Attorney General William Barr, whos made his opposition to encrypted communications crystal clear. The best that EARN ITs sponsors can muster in defense is that the bill itself doesnt use the word encryptionasking us to trust that the commission wont touch encryption.

But if EARN IT attempts to avoid acknowledging the elephant in the room, the Lawful Access to Encrypted Data Act puts it at the center of a three-ring circus. The new bill doesnt bother with commissions or best practices. Instead, it would give the Justice Department the ability to require that manufacturers of encrypted devices and operating systems, communications providers, and many others must have the ability to decrypt data upon request. In other words, a backdoor.

The bill is sweeping in scope. It gives the government the ability to demand these backdoors in connection with a wide range of surveillance orders in criminal and national security cases, including Section 215 of the Patriot Act, a surveillance law so controversial that Congress cant agree whether it should be reauthorized.

Worse yet, the bill requires companies to figure out for themselves how to comply with a decryption directive. Their only grounds to resist is to show it would be technically impossible. While that might seem like a concession to the long-standing expert consensus that technologists simply cant build a lawful access mechanism that only the government can use, the bills sponsors are nowhere near that reasonable. As a hearing led by Senator Graham last December demonstrated, many legislators and law enforcement officials believe that even though any backdoor could be exploited by bad actors and put hundreds of millions of ordinary users at risk, that doesnt mean its technically impossible. In fact, even if decryption would be impossible because the system is designed to be secure against everyone except the user who holds the key as with full-disk encryption schemes designed by Apple and Googlethats likely not a defense. Instead, the government can require the system to beredesigned.

Not only does the bill disregard the security of users, it allows the government to support its need for a backdoor with one-sided secret evidence, any time it feels a public court proceeding would harm national security or enforcement of criminal law. As weve seen, the government already attempts to stretch the limit of surveillance laws in secret to undermine the security of communications products. This bill would make that the norm.

Finally, the bill makes almost no concession to the massive disruption it would have on how people use technology. Its limitations are almost laughable: any device that has more than a gigabyte of storage and sells more than a million units a year could have to build a government-required backdoor if it is subject to five warrants or other requests, as would any operating system or communication system with more than a million active users. Clearly the bills authors are attempting to target iPhones, Android phones, WhatsApp, and other popular technologies, but the bill would also sweep in many specialized operating systems as well as consumer devices like Fitbits, Rokus, and so on.

It would also establish a sort of X-Prize for secure backdoors, rewarding researchers who manage to find solutions providing law enforcement access to encrypted data pursuant to legal process. But it is not a lack of resources or proper monetary incentives that has failed to square that particular circle. Instead, it is simply the inability to design a system that reliably allows access by the good guys without catastrophically weakening the security of the system.

These concerns only scratch the surface of whats wrong with this bill. As with EARN IT, we should take every opportunity to tell members of Congress to leave the secure technology we rely on alone.