- A group of Republican senators introduced a bill Tuesday that would weaken the lawful use of encryption in communication services so law enforcement officials could gain access to devices with a warrant.
- The "Lawful Access to Encrypted Data Act" was introduced by Senate Judiciary Chairman Lindsey Graham and Sens. Tom Cotton and Marsha Blackburn.
- Tech industry leaders have warned that any system requiring a "backdoor" to encryption would undermine its privacy protections altogether.
A group of Republican senators introduced a bill Tuesday that would weaken the lawful use of encryption so law enforcement officials could gain access to devices and communication services with a warrant.
The tech industry has fought to maintain the integrity of encryption, which prevents even the companies that make the devices or platforms from being able to access their contents.
Encrypted services only let the sender and recipient see messages. Law enforcement officials have insisted that they must have some way to access encrypted platforms and devices when investigating crimes. But industry leaders have warned that any system requiring a "backdoor" to encryption would undermine the privacy protections altogether.
The Lawful Access to Encrypted Data Act, introduced by Senate Judiciary Chairman Lindsey Graham, R-S.C., and Sens. Tom Cotton, R-Ark., and Marsha Blackburn, R-Tenn., would require tech companies to assist law enforcement to access their encrypted devices and services when officials obtain a court-issued warrant based on probable cause that a crime has occurred.
The bill would also empower the Attorney General to direct service providers and device manufacturers to report their ability to comply with the warrant and how long it would take to do so. The Attorney General cannot direct companies to take specific technical steps and the firms could appeal the directives in federal court. The government would also be required to compensate the firms for "reasonable costs" taken on while complying with the directive, according to a press release.
While the bill does not call for an end to encryption technology outright, tech firms such as Apple have argued there is no way for "lawful access" to occur that would not break the security provided by encryption for all users.
Law enforcement concerns with encryption reached the public consciousness in 2015, when Apple clashed with the Federal Bureau of Investigation by refusing to help unlock a shooter's iPhone in an attack in San Bernardino, California.
More recently, the FBI and Department of Justice under Attorney General William Barr have taken aim at Facebook, which revealed plans to integrate its three messaging services and make them all end-to-end encrypted. Facebook has played an integral role in law enforcement's efforts to detect and track down child predators. Law enforcement has feared that the new encryption push will further endanger children who will continue to be exploited with fewer ways to track them down.
Last year, Barr asked Facebook to postpone its encryption plans and create a way for law enforcement to access illegal content. In response, Facebook executives wrote, "It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it."
In response to the Lawful Access to Encrypted Data Act, a Facebook spokesperson said: "End-to-end encryption is a necessity in modern life — it protects billions of messages sent every day on many apps and services, especially in times like these when we can't be together. Rolling back this vital protection will make us all less safe, not more. We are committed to continuing to work with law enforcement and fighting abuse while preserving the ability for all Americans to communicate privately and securely."
The Information Technology Industry Council, a trade group that counts Facebook and Apple among its members, also opposed attempts to provide a backdoor to encryption.
"Encryption is critical to protecting privacy and security, and these government access mandates would critically weaken online safety," ITI President and CEO Jason Oxman said. "Government decrees to weaken encryption will compromise consumers' security and trust and could expose their medical, work, and personal information to foreign governments or criminal actors. Legislation to weaken security also runs counter to concerns lawmakers have raised about the need for companies to protect user data from hackers and other threats online, including in the lead up to the 2020 election. The tech sector works today with law enforcement under appropriate legal process, and will continue to do so while also protecting the security and privacy of our users."
Law enforcement officials have argued it's gotten harder to access encrypted content. At a December hearing in front of the Senate Judiciary Committee, Manhattan District Attorney Cyrus Vance testified that breaking into encrypted devices has been harder to do since Apple released its iOS 8 in 2014 with greater security features.
Still, in many cases, law enforcement agencies have been able to break encryption technology on their own or with the help of third parties. That was the case in 2015 with the San Bernardino shooter's phone, for example. Vance testified last year that his office is able to unlock about half of the Apple devices it obtains in criminal investigations with the help of third-party vendors but said that work could be "cost-prohibitive."
The bill would install new incentives for tech companies to come up with innovative ways to provide "lawful access" to encrypted devices and services. It would direct the attorney general to create a prize competition for lawful access solutions that operate in encrypted environments while maximizing privacy and security. It would also fund a grant program at the DOJ to train law enforcement on digital evidence and set up a call center to assist during investigations.
The new bill fulfills a promise Graham made to Apple and Facebook representatives at the 2019 hearing.
"You're going to find a way to do this or we're going to do this for you," he said at the time.
Graham has also introduced the "EARN IT Act" with Sen. Richard Blumenthal, D-Conn., which tech advocates have criticized as a thinly veiled way to undermine encryption, an argument the senators have disputed. The bill aims to revise Section 230 of the Communications Decency Act, which shields online platforms from liability for their users' posts. Rather than grant a blanket protection, the bill would require companies to "earn it" by certifying compliance with a set of best practices for detecting and reporting child sexual exploitation materials. The bill is scheduled for a committee meeting Thursday.