US Senators Introduce The Lawful Access To Encrypted Data Act
A group of Republican senators introduced a bill Tuesday that would weaken the lawful use of encryption so law enforcement officials could gain access to devices and communication services with a warrant. The tech industry has fought to maintain the integrity of encryption, which prevents even the companies that make the devices or platforms from being able to access their contents.
The Lawful Access to Encrypted Data Act is a balanced solution that keeps in mind the constitutional rights afforded to all Americans, while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security. The bill would require service providers and device manufacturers to provide assistance to law enforcement when access to encrypted devices or data is necessary but only after a court issues a warrant, based on probable cause that a crime has occurred, authorizing law enforcement to search and seize the data.
“Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities,”
This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the internet.
Background provided in a press release includes:
- The debate over encryption and lawful access has raged on, unresolved, for years, says a press release. The Lawful Access to Encrypted Data Act would bring an end to warrant-proof encryption in devices, platforms, and systems.
- Encryption is vital to securing user communications, data storage, and financial transactions. Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.
- Bad actors exploit warrant-proof encryption to shield dangerous and illegal activity —including terrorism, child sexual abuse, and international drug trafficking — from authorities. Many service providers and device manufacturers continue refusing to cooperate with law enforcement to help recover encrypted data, even when presented with a lawful warrant supported by probable cause. Without that cooperation, law enforcement is left with few choices: attempt to hack into the encrypted data – at the expense of months, if not years, of lost investigative time plus the millions of dollars in funds needed to execute a hack – or abandon investigations altogether. As a result, our national security is at risk, and countless serious crimes committed in communities around the United States go unsolved.
- Unfortunately, there are many examples that underscore the need to reform the current system.
- In December 2019, a member of the Royal Saudi Air Force carried out a terrorist attack at the Pensacola Naval Air Station in Pensacola, Florida, killing three service members and wounding eight. Attorney General Barr and FBI Director Wray recently announced that new evidence shows the terrorist was radicalized by al Qaeda. The FBI uncovered this evidence only after hacking into the phone to recover encrypted data. The terrorist had shot the phone in an attempt to destroy it. The FBI said they “effectively received no help from Apple” and the effort took over four months, costing “large sums of taxpayer dollars.” Remarks, Department of Justice
- During a money laundering investigation involving the Sinaloa Cartel, numerous lawful access issues arose because of the cartel’s use of an end-to-end encrypted app. The targets of the investigation made phone calls and sent messages using WhatsApp to coordinate drug deals and cash drops. The warrant-proof encrypted messages allowed the criminals to conceal their communications and prevent investigators from intercepting entire conversations, even with a court-authorized wiretap order. The inability to access content from WhatsApp prevented law enforcement from identifying suspects and producing seizures of drugs and money.
- In May 2015, there was a terrorist attack Garland, Texas. ISIS later claimed responsibility. Investigators discovered that one of the terrorists in Texas exchanged more than 100 messages with a terrorist overseas using an end-to-end encrypted app. To date, the FBI is still unable to determine the content of these messages.
- Ryan Lin, a computer scientist with extensive knowledge of encryption and hacking, was accused of cyberstalking, threatening and harassing of a number of victims over several years. Lin used various methods to hide his virtual identity, including VPNs, encrypted devices and encrypted overseas email accounts. During an investigation of Lin, he admitted to collecting a large amount of child sexual abuse material (CSAM) – including a dozen images of prepubescent CSAM he sent, unsolicited, to others – but had taken steps to encrypt the illegal material. Law enforcement conducted a costly and risky operation to seize Lin’s phone while he was using it to increase the likelihood of capturing unencrypted messages. Although agents were successful in obtaining Lin’s phone and material located on the phone, almost every device agents seized from Lin’s home was encrypted. Agents never recovered Lin’s CSAM collection on the seized encrypted devices. This limited law enforcement’s ability to identify victims, notify those victims, and present a fuller, more accurate portrayal of Lin’s conduct at sentencing.
- In 2016, FBI agents identified an IP address sharing image and video files of child pornography using the peer-to-peer program FrostWire. After receiving documents pursuant to legal process requests, the FBI identified a target associated with the IP address. In August 2017, FBI obtained a warrant to seize a desktop computer. The target used BitLocker, a full-volume encryption feature included with Microsoft Windows, to encrypt the desktop. Agents were unable to locate evidence of CSAM on the computer and were forced to close the case. The target of the investigation had regular access to children through his employment as a school bus driver.
- In December 2019, the Senate Judiciary Committee held a hearing titled, “Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy.”
Highlights of the Lawful Access to Encrypted Data Act:
- Enables law enforcement to obtain lawful access to encrypted data.
- Once a warrant is obtained, the bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.
- In addition, it allows the Attorney General to issue directives to service providers and device manufacturers to report on their ability to comply with court orders, including timelines for implementation.
- The Attorney General is prohibited from issuing a directive with specific technical steps for implementing the required capabilities.
- Anyone issued a directive may appeal in federal court to change or set aside the directive.
- The Government would be responsible for compensating the recipient of a directive for reasonable costs incurred in complying with the directive.
- Incentivizes technical innovation.
- Directs the Attorney General to create a prize competition to award participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.
- Promotes technical and lawful access training and provides real-time assistance.
- Funds a grant program within the Justice Department’s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.
The bill would also empower the Attorney General to direct service providers and device manufacturers to report their ability to comply with the warrant and how long it would take to do so. The Attorney General cannot direct companies to take specific technical steps and the firms could appeal the directives in federal court. The government would also be required to compensate the firms for “reasonable costs” taken on while complying with the directive, according to a press release.
While the bill does not call for an end to encryption technology outright, tech firms such as Apple have argued there is no way for “lawful access” to occur that would not break the security provided by encryption for all users.
Furthermore, the committee noted that the bill “Promotes technical and lawful access training and provides real-time assistance” and “Directs the Attorney General to create a prize competition to award participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.”
Backdoor Requirements Hurting People:
Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Center for Internet and Society at Stanford Law School, calls the bill “a full-frontal nuclear assault on encryption in the United States.” She exclaimed:
This bill is the encryption backdoor mandate we’ve been dreading was coming, but that nobody, during the past six years of the renewed crypto wars, had previously dared to introduce. Well, these three senators finally went there.
Andi Wilson Thompson, senior policy analyst at New America’s Open Technology Institute, shares the sentiment, explaining: “This bill is just another attack on encryption, and trying to portray it as a ‘balanced solution’ that could protect privacy is just an attempt to distract from its true intent.” Thompson focuses on issues including digital security, vulnerabilities equities, encryption, and internet freedom.
The Lawful Access to Encrypted Data Act “is actually even more out of touch with reality than many other recent anti-encryption bills,” said Andrew Crocker, a senior staff attorney on the civil liberties team of the Electronic Frontier Foundation (EFF). He added that the new bill is “even worse than EARN IT,” which he described as “a dangerous anti-speech and anti-security bill that would hand a government commission, led by the Attorney General, the power to determine ‘best practices’ online.”
According to the Senate Judiciary Committee:
Once a warrant is obtained, the bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.
Crocker pointed out that the new bill “would give the Justice Department the ability to require that manufacturers of encrypted devices and operating systems, communications providers, and many others must have the ability to decrypt data upon request. In other words, a backdoor.”
The EFF attorney added: “The bill is sweeping in scope. It gives the government the ability to demand these backdoors in connection with a wide range of surveillance orders in criminal and national security cases, including Section 215 of the Patriot Act.” He warned, “Not only does the bill disregard the security of users, it allows the government to support its need for a backdoor with one-sided secret evidence, any time it feels a public court proceeding would harm national security or ‘enforcement of criminal law.’”
Emphasizing that “The requirements that the Lawful Access to Encrypted Data Act would impose upon companies would undermine the security and privacy of ordinary people while the real targets of criminal investigations could just migrate to new encrypted services,” Thompson cautioned:
This bill would ensure that companies that provide products and services used by millions in the United States have to offer weaker encryption technology, putting all of their users at risk.
The policy analyst noted: “The idea that an exceptional access backdoor can safely be developed solely for government use has been debunked over and over again by experts, including former senior members of the U.S. Justice Department.” The Lawful Access to Encrypted Data bill can be found here.