Proposed LAED Act marks another chapter in the ongoing encryption battle between tech giants and government
ANALYSIS 2020 has been quite the year so far, with many of us adapting to a new way of living and working due to Covid-19.
In the technology realm, however, 2020 has become “Groundhog Day”, experts say, because of the ongoing fight between technology companies, privacy and civil rights groups, law enforcement, and the US government over encryption.
The bone of contention is end-to-end encryption, a communication approach where the keys needed to decrypt conversations are held on individual devices rather than by service providers or device manufactures.
Law enforcement and governments worldwide want to be able to access messages sent from consumer devices during criminal investigations – a prospect made difficult due to modern authentication checks and encryption-based security.
Want that data? We’ll need to see a warrant
However, they have not yet been forced to deliberately weaken their own product security to make it easier for law enforcement to retrieve communications.
Throughout 2015 and 2016, Apple received requests from the FBI to unlock iPhones belonging to suspects in criminal investigations. This included a request to unlock an iPhone 5 belonging to San Bernardino shooting perpetrator Syed Rizwan Farook.
The FBI demanded that Apple bypass the mobile device’s passcode, but the company contested on the basis that to comply would mean creating a backdoor that posed an inherent security risk.
A legal battle ensued, but Apple was eventually taken out of the picture after a third party found an authentication bypass iOS vulnerability, allowing law enforcement to access the device.
Lawful Access to Encrypted Data Act
Encryption remains a political issue. Yet while several laws have been proposed worldwide to force technology vendors to bow to decryption demands, no country is understood to have gained backdoor-level access to commercially-made communication apps or devices.
Now, despite previous failed efforts, US legislators are making a fresh attempt to bring encryption to heel.
On June 23, Senate Judiciary Committee Chairman Lindsey Graham, alongside Senators Tom Cotton and Marsha Blackburn, introduced the Lawful Access to Encrypted Data Act (LAED), a new bill (PDF) which the US officials claim will “bolster national security interests and better protect communities across the country by ending the use of ‘warrant-proof’ encrypted technology by terrorists and other bad actors”.
Once served with a warrant, the bill requires vendors and service providers to assist law enforcement in accessing encrypted devices or data if there are “reasonable grounds to believe that the assistance required by the order will aid in the execution of the warrant”.
RELATED SwigCast, Episode 2: ENCRYPTION
Furthermore, the Attorney General – currently William Barr – would be given the power to issue directives to companies to report on their ability to comply, including through the development of software to break their own encryption.
The Attorney General would also be able to launch a competition “to award participants who create a lawful access solution in an encrypted environment”.
This latest legislative play follows a succession of earlier bills that attempt to control cryptography, including the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act.
EARN IT, like LAED, also faces opposition from technologists and privacy activists such as the Electronic Frontier Foundation.
LAED would apply to manufacturers who have sold more than one million devices
Law enforcement backdoors
Proposing the installation of backdoors into cryptographic services means that deliberate security weaknesses would be introduced that can be used not just by the police, but also could be taken advantage of by cyber-attackers.
Critics view this concept as an affront to privacy, security, and civil liberties.
In a blog post, Riana Pfefferkorn, associate director of surveillance and cybersecurity at StanfordCIS, noted that this bill also goes beyond past legislative attempts, as LAED would require encryption offered by any online service relating to stored data or “data in motion”’ to be breakable by law enforcement.
This could include mobile devices, messaging apps, operating systems, and the full remote computing services spectrum – encompassing cloud storage services, email platforms, social media, and more.
If passed, LAED would apply to device manufacturers that have sold at least one million devices in the US since 2016 and any service provider with at least one million subscribers or users.
In a statement, Barr praised the bill, saying: “I am confident that our world-class technology companies can engineer secure products that protect user information and allow for lawful access.”
Pfefferkorn, however, has branded the proposed legislation as a “full-frontal nuclear assault on encryption in the United States”.
The new proposal prompted a collective groan on social media networks, with one Twitter user branding the ongoing battle to break vendor encryption as “legislative malware”.
“Once again we find ourselves in the movie Groundhog Day, watching members of the Senate or House put forth legislation attempting to force mandated backdoor in encryption,” Tony Cole, chief technology officer at Attivo Networks, told The Daily Swig.
“It’s critical that our legislators understand that this path to help law enforcement will also create significant new inroads for nation-states and criminals to find and break those backdoors.”
Warren Poschman, senior solutions architect at Comforte AG, a data security firm, says that such a proposal could also degrade Fourth Amendment rights, which prevents unreasonable searches and seizures by the US government.
In short, there is an inconvenient truth: to stop encryption being a challenge for law enforcement, you would need to introduce device or software backdoors that could actually give criminals the tools required to compromise citizen services and data.
In turn, this could erode trust in device manufacturers and companies offering online services.
“Seemingly at odds with emerging privacy regulations that require or incentivize full anonymization of data, the risk is that overall security, both IT and personal, is eroded with the best intents – not to mention the potential for the government itself to be hacked,” Poschman added.