U.S. Senators introduced the Lawful Access to Encrypted Data Act in an attempt to mandate backdoors. The bill gives the Department of Justice the ability to force companies and service providers to decrypt data upon request and bans so-called “warrant-proof” encryption.
The Lawful Access to Encrypted Data Act (pdf html) applies to providers across the board. According to a blog post from the Center for Internet and Society at Stanford Law School, the bill applies to providers of operating systems, messaging applications, email providers, manufacturers of computers, video game consoles, smartphones, or “basically any electronic device with just 1 GB of storage capacity.”
The bill distinguishes between stored data and data in motion.
Law enforcement must apply for a search warrant for the data stored on a physical device or data stored remotely. During or after the application for a search warrant, law enforcement must also apply for a court order requiring technical assistance from the provider of the device or data in the search warrant. If law enforcement can provide “reasonable grounds to believe” that execution of the search warrant would be helped with cooperation from the provider, the presiding judge must issue the technical assistance order.
The bill does not allow the government to direct the technical details of a provider’s compliance, however. This would prevent the well-known court order issued to Apple in 2016. That order, titled In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203," required Apple to create an operating system (GovtOS) for the FBI that would allow them to access the contents of an encrypted iPhone.
The iPhone in question belonged to the government of San Bernardino County, California. The county had issued the iPhone to an employee named Syed Rizwan Farook. Farook was one of the shooters involved in the attack in San Bernardino in December 2015 that left 14 people dead. The FBI recovered the iPhone but claimed they could not access the contents of the phone. Apple was also unable provide law enforcement with the contents of the device since new encryption methods prevented Apple from “comply[ing] with government warrants asking for customer information to be extracted from devices.”
In response to Apple’s inability to provide backdoor access to the device, the FBI obtained a court order (pdf, html) to force Apple’s hand. The court order required Apple to:
- “bypass or disable the auto-erase function whether or not it has been enabled”
- “enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available”
- “ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware”
The order was issued under the All Writs Act. Magistrate Judge James Orenstein vacated the order (pdf, html). In response, the judge wrote, “the relief the government seeks is unavailable because Congress has considered legislation that would achieve the same result but has not adopted it.” It appears as if the Lawful Access to Encrypted Data Act would effectively replace the All Writs Act in this context. However, an order such as the one issued to Apple in the San Bernardino case would no longer be necessary under the newly introduced bill. The bill unambiguously bans encryption without a backdoor or alternative method of decryption by the provider.
Data in Motion
For data in motion, the bill builds on the federal Wiretap Act as well as the federal Pen Register Act. The statutes governing pen registers (18 U.S. Code Chapter 206 — Pen Registers and Trap and Trace Devices) will be modified to include language that requires providers to turn over the requested data in a decrypted format or in “an intelligible format.”
A wire or electronic communication service provider that had more than 1,000,000 monthly active users in the United States in January 2016 or any month thereafter shall ensure that the provider has the ability to provide the information described in paragraphs (3) and (7) of section 3127 directly to law enforcement agencies in an intelligible format…"
For reference, paragraph three of section 3127:
the term “pen register” means a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.
And paragraph seven, which the Lawful Access to Encrypted Data Act will add to the Pen Register Act:
- The term ‘technical assistance’ includes
- isolating all dialing, routing, addressing, and signaling information authorized to be acquired;
- decrypting, decoding, or otherwise providing in an intelligible format the dialing, routing, addressing, and signaling information authorized to be acquired, unless the independent actions of an unaffiliated entity make it technically impossible to do so; and
- delivering all dialing, routing, addressing, and signaling information authorized to be acquired securely, reliably, and concurrently with its transmission.
Senate Judiciary Press Release
Senate Judiciary Committee Chairman Lindsey Graham:
“Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities. In recent history, we have experienced numerous terrorism cases and serious criminal activity where vital information could not be accessed, even after a court order was issued. Unfortunately, tech companies have refused to honor these court orders and assist law enforcement in their investigations. My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks.”
U.S. Senator Tom Cotton:
“Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity. Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet."
U.S. Senator Marsha Blackburn:
“User privacy and public safety can and should work in tandem. What we have learned is that in the absence of a lawful warrant application process, terrorists, drug traffickers and child predators will exploit encrypted communications to run their operations”
According to those backing the bill, the highlights of the Lawful Access to Encrypted Data Act include:
- Enables law enforcement to obtain lawful access to encrypted data.
- Once a warrant is obtained, the bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.
- In addition, it allows the Attorney General to issue directives to service providers and device manufacturers to report on their ability to comply with court orders, including timelines for implementation.
- The Attorney General is prohibited from issuing a directive with specific technical steps for implementing the required capabilities.
- Anyone issued a directive may appeal in federal court to change or set aside the directive.
- The Government would be responsible for compensating the recipient of a directive for reasonable costs incurred in complying with the directive.
- Incentivizes technical innovation.
- Directs the Attorney General to create a prize competition to award participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.
- Promotes technical and lawful access training and provides real-time assistance.
- Funds a grant program within the Justice Department’s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.
According to the EFF, the Lawful Access to Encrypted Data Act is worse than the EARN IT Act. “We should take every opportunity to tell members of Congress to leave the secure technology we rely on alone,” Andrew Crocker, an EFF attorney, wrote.