Senate Bill Could End User Privacy on Everyday Devices

By: Matthew McCarthy

The average American’s privacy both online and on personal devices is once again being threatened by a newly proposed bill called the Lawful Access to Encrypted Data Act. If this bill is signed into law, organizations and manufacturers like Apple and Google, as well as messaging apps like What’s App and Signal, will be required to provide a “backdoor” to their encrypted devices and applications for law enforcement to access. Meaning that everyday devices, such as iPhones and Roku’s, would need to have built-in backdoor encryption accessible by authorities to access any private information on the device. The bill aims to allow authorities to have quick access to encrypted devices and communications in connection with surveillance orders and national security cases. Authorities want access to this encrypted data so they can monitor terrorist and criminal communications and activities because otherwise it is very difficult and near impossible to obtain that information without permission from the developer, organization, or manufacturer. In theory, allowing police to access encrypted information from devices and applications sounds like a good idea, however, there are serious privacy concerns for all Americans that will arise as direct consequences of this bill passing.

Lawmakers have spent many years trying to tackle the issue of “warrant-proof” encryption devices, platforms, and systems. Lindsay Graham, the drafter of the bill, posits, “terrorists and criminals routinely use technology … to coordinate and communicate their daily activities” and there are “numerous terrorism cases and serious criminal activity where vital information could not be accessed” due to technology companies’ uncooperativeness with law enforcement during investigations. The Lawful Access to Encrypted Data Act allows courts to order device manufacturers, operating system providers, remote computing service providers, communication service providers, and other platforms with over a million yearly users to assist law enforcement in accessing encrypted information sought by a search warrant unless it is “technically impossible to do so.”

To understand the negative ramifications of the Lawful Access to Encrypted Data Act, one must know what encryption is, how it works, and why a “backdoor” for law enforcement is a double-edged sword. In the simplest terms, encryption is a way to convert data into a scrambled form using a complex algorithm so that only authorized parties (usually the manufacturer/developer) can access and understand that data. Encryption ensures that communications and information are kept private except for the intended user or recipient and the only way to “unscramble” the data is by having a “key” to turn it back into readable data.

Secure encryption, when working as intended, is extremely hard to decrypt by “brute force” or guessing with programs, however, a backdoor to secure encryption creates a chink in the proverbial armor that cybercriminals can exploit to access encrypted information. Since algorithms create “random” encryption to scramble data, adding a backdoor with predictable data allows other nations, state-sponsored advanced persistent threats (“APT’s”), and criminals to predict the algorithm and access secure data of US citizens, companies, and any other entity that stores secure data. There are no “good guys only” back door and eventually, the weakness in the encryption will be exploited. Some organizations and manufacturers may argue that it is technically impossible to create a backdoor because it can be exploited by bad actors and put millions of user’s privacy and information at stake, however, under this bill the government can require the system to be redesigned if necessary.

The backdoor vulnerability proposed by the bill would be required to be in any device that has more than a gigabyte of storage and sells more than a million units a year, which includes devices like iPhones, Android phones, WhatsApp, and other technologies such as Fitbits, Roku’s, etc. This means that almost any device that Americans use on a daily basis could have a backdoor vulnerability and their data stored on that device has the potential to be accessed by foreign nations, APT’s, and criminals. Other nations and international organizations have recognized the disparate impact backdoor encryptions would have on the average citizen. One example of this is the EU’s Article 29 Working Party, which advised that countries planning to force encryption backdoors on citizens and organizations is not an “effective measure against criminals since they would continue to use or adapt the strongest state of the art encryption to protect their data … harm[ing] the honest citizen by making their data vulnerable.”

While there is a legitimate and reasonable concern by policymakers around the use of encryption services by criminals and terrorists, there needs to be a serious cost-benefit analysis to determine whether backdoor encryptions are worth the cost of infringing on hundreds of millions of Americans’ privacy. Instead, perhaps authorities can use their arsenal of existing tools for investigation and surveillance to try and monitor terrorist and criminal activity. Additionally, it has been shown that authorities have the capability to crack encrypted devices without backdoor access. This bill, if passed, would give authorities an incredibly powerful tool in their investigation arsenal for surveilling criminal and terrorist activities; however, the bill would most likely just cause criminals to switch to other methods of encryption, leaving the average person in America’s privacy and information vulnerable for all the world to see.

Student Bio: Matt McCarthy is a second-year law student at Suffolk University Law School with an interest in data privacy. He is also a Staff Member of the Journal of High Technology Law. Prior to Law School, Matt received his Bachelor of Arts Degree in International Relations from Boston University.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.

 

Print Friendly, PDF & Email