People in the cybersecurity industry and digital rights activists have a reason to be optimistic. Representative Zoe Lofgren (D-CA) and Thomas Massie (R-KY), Jerrold Nadler (D-NY), Ted Poe (R-TX), Ted Lieu (D-CA) and Matt Gaetz (R-FL) are sponsoring a bill in the US House of Representatives that if made law would prohibit mandatory government backdoors in software and computer hardware devices.
The Secure Data Act of 2018 is the third attempt by those Representatives to pass a law that would prohibit mandatory government backdoors. There were previous attempts in 2014 and 2015 which failed to pass.
One of the most notable recent cases of US government agencies trying to force tech companies to implement government encryption backdoors into consumer products involved Apple and the FBI. In December 2015, there was a mass shooting in San Bernadino, California. Syed Rizwan Farook was a prime suspect, and he owned an iPhone 5C. The FBI wanted to be able to decrypt the iPhone to facilitate their criminal investigation of Farook. Between the end of 2015 and 2016, Apple objected to eleven orders issued by US district courts. By February, Federal District Court for the District of Central California Judge Sheri Pym ruled that Apple must find a way to bypass the iPhone’s security features for the FBI. Apple appealed and the case continued to proceed in court. But by March 28th, the FBI announced that they were able to bypass the iPhone’s encryption with the help of a third party, rather than with Apple’s cooperation.
And that’s just one of many cases where a US government agency either mandated a government backdoor in a computing device and the vendor cooperated, or a US government agency fought a tech company in order to implement a backdoor or otherwise bypass encryption.
If the Secure Data Act of 2018 becomes law, it may be the end of government encryption backdoors in computing devices altogether.
“Except as provided in subsection (c), no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.
Except as provided in subsection (c), no court may issue an order to compel a manufacturer, developer, or seller of covered products to design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by an agency.”
But why should potential criminals have the right to use encryption in a way that would hinder a criminal investigation? Wouldn’t we be safer if law enforcement and intelligence could examine the contents of a suspect’s computing device without any hassles?
No. Allowing any government backdoors weakens all encryption for everyone. We need strong and effective encryption to keep our financial transactions, medical records, the overall functionality of our mobile devices, PCs, and servers, and private information secure from cyber attackers.
Bruce Schneier said it best on his blog. Here’s his reaction to the case between the FBI and Apple:
“The FBI wants the ability to bypass encryption in the course of criminal investigations. This is known as a ‘backdoor,’ because it's a way at the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to such claims, but as a technologist I can tell you that there is no way to give the FBI that capability without weakening the encryption against all adversaries. This is crucial to understand. I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way.
If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are how everyone attacks computer systems.
This means that if the FBI can eavesdrop on your conversations or get into your computers without your consent, so can cybercriminals. So can the Chinese. So can terrorists. You might not care if the Chinese government is inside your computer, but lots of dissidents do. As do the many Americans who use computers to administer our critical infrastructure. Backdoors weaken us against all sorts of threats.”
I’m so relieved that there appears to be a voice of reason in the US government, via the House of Representatives. If the Secure Data Act of 2018 becomes law, it will set a very positive precedent for the future of cybersecurity in the United States. Perhaps there are some people in public office who realize that the harm of mandating government encryption backdoors is greater than any benefit law enforcement may enjoy in making their criminal investigations easier.
But the bill may fail to pass. If you’re an American citizen, I urge you to contact your Representative and ask them to vote in favor of the Secure Data Act of 2018. You can find your Representative through this page on the US House of Representatives website.