A new bill introduced in Congress gets encryption right.
The bipartisan Secure Data Act would stop any government agency or court order from forcing a company to build backdoors into encrypted devices and communications.
This welcome piece of legislation reflects much of what the community of encryption researchers, scientists, developers, and advocates have explained for decades—there is no such thing as a secure backdoor. Just last week, EFF convened a panel of true experts on Capitol Hill to explain why government-mandated backdoors face insurmountable technical challenges and will weaken computer security for all. Given that the DOJ and FBI continue to rely on flawed theoretical approaches to key escrow in pushing for “responsible encryption,” we’re glad to see some Congress members are listening to the experts and taking this important step to protect anyone who uses an encrypted device or service.
EFF supports the Secure Data Act, introduced by Representatives Zoe Lofgren (D-CA), Thomas Massie (R-KY), Ted Poe (R-TX), Jerry Nadler (D-NY), Ted Lieu (D-CA), and Matt Gaetz (R-FL). You can read the full bill here.
The two-page bill has sweeping safeguards that uphold security both for developers and users. As the bill says, “no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”
This bill would protect companies that make encrypted mobile phones, tablets, desktop and laptop computers, as well as developers of popular software for sending end-to-end encrypted messages, including Signal and WhatsApp, from being forced to alter their products in a way that would weaken the encryption. The bill also forbids the government from seeking a court order that would mandate such alterations. The lone exception is for wiretapping standards required under the 1994 Communications for Law Enforcement Act (CALEA), which itself specifically permits providers to offer end-to-end encryption of their services.
The Secure Data Act is thus the polar opposite of the Burr-Feinstein proposal introduced in the wake of the confrontation between Apple and the FBI in the San Bernardino case, which would have allowed sweeping court orders to require technical assistance from companies like Apple. We’ve explained before that this type of mandate is unconstitutional, likely violating the First Amendment. And, as an internal DOJ report recently demonstrated, the FBI did not need Apple’s assistance in the San Bernardino case because it had the resources at its disposal to unlock the iPhone belonging to the shooter. Nevertheless, the Bureau did not make its capabilities known to courts, Congress, and the public. Legislation like the Secure Data Act would both prevent another such fight from playing out and also head-off the risk of wrong-headed legislation like the Burr-Feinstein proposal.