New Bill Aims to Stop State-Level Decryption Before It Starts
Over the last several months, local legislators have embarked on a curious quest to ban encryption at a state level. For a litany of reasons, this makes no sense. And now, a new bill in Congress will attempt to stop the inanity before it becomes a trend.
California Congressman Ted Lieu has introduced the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,” which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level.
We’ve outlined the reasons that a patchwork of state anti-encryption laws makes no sense before, but it’s worth a quick recap. Lieu himself considers there to be three main issues with allowing government backdoors generally. (He’s also, for what it’s worth, one of four sitting Congressman with a computer science degree).
“You cannot design a technological backdoor only for the good guys, because hackers will eventually find that backdoor, or what’s more likely is the federal government will get hacked through that backdoor,” says Lieu, pointing to the recent hack of the FBI as evidence that the government doesn’t have the technological wherewithal to protect itself as is, much less with the creation of an open conduit.
Secondly, Lieu points out that US laws apply only to US companies; while Congress can theoretically force Apple to allow a backdoor, it has no say over what Samsung or LG do with their devices. Last, and maybe most compellingly, is the simple fact that despite the impracticality and exposure, it wouldn’t necessarily even help.
“There’s not a single shred of evidence that an encryption backdoor would have prevented any terrorist attack,” says Lieu.
On the other side, the arguments in favor of encryption protections at a federal level are strong. At a state-level, though, which is what Lieu’s bill attempts to address, they’re ironclad.
State of Confusion
Forcing companies to decrypt devices at a state level is so infeasible, it’s hard to believe that it’s even an issue worth addressing. Lieu’s bill should, in a rational world, make as much sense as attempting to outlaw genies. Cybersecurity legislation, though, has recently been anything but rational.
Last year, and again last month, a New York state assemblyman introduced a bill designed to allow law enforcement full access to any phone that has been seized as evidence. Last month, a California state legislator introduced a strikingly similar piece of legislation. Three would be a trend, something Lieu is eager to prevent.
“I was a little concerned, but I realized he was a Republican legislator in a democratically controlled state,” says Lieu of the New York bill introduced by Assemblyman Matthew Titone. “But when a Democratic state legislator in California issued a similar bill, then I got very concerned, because I come from the California state legislator, it is controlled by Democrats, and this bill could certainly be passed.”
The problem with state-level legislation of this nature is that it manages to be both wildly impractical and entirely unenforceable.
“It’s particularly bad for states to legislate something like this. Their power only extends to their borders, so if you required Apple to sell cellphones in California that were decryptable you could just go to Oregon, or Connecticut and get one that wasn’t,” says Andrew Crocker, attorney at the Electronic Frontier Foundation. “You start to play out how it would work, and it seems pretty impossible for states to control the flow of software and cellphones in and out of the state.”
FBI spokesperson Christopher Allen declined to comment because the legislation is still pending, but pointed to Director James Comey’s remarks before Congress this week. Comey’s long-standing position is that encryption allows bad actors to “go dark,” which most directly impacts state and local officials.
One man’s “dark space,” though, is another’s right to privacy. “If you look at San Bernardino, there were a lot of ‘dark spaces,’ such as the terrorists’ bedroom, their home,” says Lieu. “There’s dark spaces all over America, and we don’t want to change that, because we don’t want the FBI in your bedroom or in your home.”
The good news, for those who favor encryption sanity, is that Lieu’s bill already has strong bipartisan support. Blake Farenthold, a Republican from Texas, is his co-lead on ENCRYPT, and Mike Bishop (R-MI) and Suzan DelBene (D-WA) are co-sponsors.
That may sound surprising, until you remember that Lieu’s bill doesn’t tackle the issue of encryption generally, just the impracticalities of states trying to do it themselves.
“I’m very pleased that his legislation has bipartisan support,” says Lieu. “That’s because the bills doesn’t answer the question whether we should put in backdoors to weaken encryption. What it says is that states cannot make that decision. So even if you support putting in backdoors for encryption, you can still support that bill.”
While Lieu personally opposes backdoors of any kind, he doesn’t see the need right now to propose legislation that would defend encryption at a federal level. That may rankle some privacy advocates looking for more comprehensive protections, but ENCRYPT is at least a good start in that direction.
“I respect [Lieu]’s approach and think that it’s right,” says Crocker, who does think that ultimately federal-level legislation will be needed. “It gives me hope that he’s not trying to settle this debate once and for all. It’s an incremental step. I think there’s some wisdom in that.”
What Crocker’s less sure about is the bill’s viability, especially in 2016. “It’s hard to pass anything in an election year,” says the EFF attorney, “especially anything that’s not totally uncontroversial.” Bipartisan support, after all, doesn’t mean ENCRYPT won’t have its detractors. Rather than party lines, Crocker notes, the bill’s support will probably break along “the people who prioritize understanding the technology… and the people on the other side who prioritize thinking about public safety, but not how to achieve their goals.”
If ENCRYPT does pass, it will alleviate concerns over the logistical nightmare that state-sponsored anti-encryption laws would create. If it doesn’t, it’s existence will still hopefully raise awareness of how important it is to understand the technology underlying our cybersecurity challenges and protections—rather than trying to magically legislate them away.