New Bill Targeting ‘Warrant-Proof’ Encryption Draws Ire

The Lawful Access to Encrypted Data Act is being decried as “an awful idea” by security experts.

Privacy advocates are decrying a new bill, which would force tech companies to unlock encrypted devices if ordered to do so by law enforcement with a court issued warrant.

Threatpost Webinar Promotion: The Enemy Within: How Insider Threats Are ChangingThe Lawful Access to Encrypted Data Act was introduced on Tuesday by Senate Judiciary Committee Chairman Lindsey Graham (R-SC), Sen. Tom Cotton (R-AR) and Sen. Marsha Blackburn (R-TN). The three argued that ending the use of “warrant-proof” encrypted technology would “bolster national security interests” and “better protect communities across the country.”  Such encryption cloaks illicit behavior during criminal investigations into terrorists and other bad actors, they said.

Tech companies, security and privacy experts all staunchly disagree, arguing that the bill will instead open up a potential for abuse from law enforcement, and obstruct on the data privacy of consumers.

“Bluntly, this bill is an awful idea,” Allan Liska, solutions architect with Recorded Future, told Threatpost. “Any sort of backdoor or weakened encryption can be used by adversaries to gain access to unauthorized data, not to mention the potential for abuse by law enforcement, despite assurances to the contrary. Finally, if this bill were to pass, people who are conducting nefarious activity will just switch to tools that are built outside of the United States where there will be no backdoor access. So, the FBI will not only not be able to access the data, they won’t even be able to access unencrypted metadata that can prove very valuable in tracking down bad guys.”

Tech companies argue that the government should instead be focusing on external cybercriminal threats, rather than imposing on the privacy of data that’s protected by companies.

“At a time when cyberthreats from criminals, hackers, and nation states are on the rise, our nation’s leaders should not be calling on companies to weaken the encryption that allows us all to communicate privately and securely,” said Will Cathcart, head of WhatsApp, in a tweet.

A Facebook spokesperson added that “rolling back this vital protection will make us all less safe, not more.”

“End-to-end encryption is a necessity in modern life — it protects billions of messages sent every day on many apps and services, especially in times like these when we can’t be together,” said the spokesperson told Threatpost via email. “We are committed to continuing to work with law enforcement and fighting abuse while preserving the ability for all Americans to communicate privately and securely.”

The new bill also directs the Attorney General to create a “prize competition” that awards participants who create a “lawful access solution in an encrypted environment.” Finally, it also funds a grant program within the Justice Department’s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.

“Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity. Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton in a statement.

Tech companies and the government have long butted heads over the issue of data privacy in the context of criminal investigations, with Federal Bureau of Investigation Director Christopher Wray previously calling unbreakable encryption an “urgent public safety issue.”

The encryption debate came to a head in 2016 when a federal judge ordered Apple to provide “reasonable technical assistance” to help the FBI access an iPhone, belonging to the San Bernardino shooter, by bypassing a program that erases the phone’s data if too many incorrect passwords are entered. That case was put on ice when the FBI hired an undisclosed third-party to unlock the phone (though the incident was later discussed in a House encryption hearing).

A similar situation occurred again this year, when the FBI asked Apple to help unlock the iPhone of a potential terrorist, this time the suspect in the shooting attack that killed three people in December at the Naval Air Station in Pensacola, Fla.Apple denied the request, leading President Donald Trump to slam the tech company in a tweet.

It’s also not the first time that the government has attempted to impede on encryption measures. The EARN IT act (which stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act) was introduced earlier in 2020. The bill argued that end-to-end encryption protects online predators. A similar controversial Australian bill, passed in 2018,  could give the government access to data protected by end-to-end encryption.

Threatpost has reached out to Apple for comment on the new bill.

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.

Suggested articles