Hackers do not discriminate. They seek out technological vulnerabilities to access consumers’ most valuable data, regardless of where the consumer lives, or where their data may be accessed. Last year alone, more than 15 million Americans were the victims of identity theft. The boundaries of the cyberthreats they faced had no borders – the risk was just as real from their home in Vermont as it was in a hotel on vacation in Hawaii. To effectively thwart hackers and cyber threats, our nation should uniformly protect strong encryption methods to prevent crimes before they happen and keep our most prized data safe, no matter where we are.
This week, a bipartisan group of congressional members in the House reintroduced legislation that would prevent states from implementing anti-encryption laws in conflict with federal encryption policies. The Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act was first introduced in 2016 by Representatives Ted Lieu (D-CA), Suzan DelBene (D-WA), and Mike Bishop (R-MI). The sponsors introduced the measure in response to several legislative proposals at the state level to require encryption vulnerabilities. The legislation reintroduced this week has the added bipartisan support of Representative Jim Jordan (R-OH) to drive this important legislation forward.
How did we get here?
Following the San Bernardino shootings in December 2015, the FBI faced challenges in decrypting information stored in the shooter’s iPhone. Investigators and local law enforcement officials redoubled their calls for mandatory backdoors to be placed in encrypted technologies to support ease of access for investigations. Lawmakers in California and New York took this movement a step further by introducing legislation that would effectively ban encryption on any smartphone sold in their respective states. Though neither bill passed any of the relevant legislative chambers, they marked the initial effort by state governments to implement encryption laws distinct from federal law and in conflict with state and federal policies that encourage or require encryption. It was the first move to impose a mish-mash of state-specific barriers on an inherently borderless data ecosystem, and it challenged tech companies’ ability to provide the strongest technical protection methods to their customers regardless of where they live.
To quote the words of ENCRYPT Act co-sponsor Representative Suzan DelBene, “a patchwork of state laws on encryption will not make us safer. Rather, they open us up to attacks, and weaken our national security, not strengthen it.”
Consider this scenario: Neighboring State A and State B put forth conflicting laws in support of and prohibiting encrypted smartphones, respectively. Under this arrangement, hackers and nefarious actors would simply bypass State A and its strong encryption protections and take a trip across state borders to access the same data made easily available through the backdoor keys mandated on encrypted technologies in State B. You’re only as strong as your weakest link, and any protections offered to residents of State A would be made moot by the vulnerabilities allowed by State B. And when cybercriminals know a state has anti-encryption laws, and know a smartphone is not protected by the strongest encryption techniques, it makes it easier for them to target their attacks on the data where it is most vulnerable. Congresswoman DelBene’s sentiments remain true — allowing a patchwork of conflicting state laws on encryption would hurt interstate commerce and drive up consumer costs, stifle data flows, and pose a threat to our broader national security.
Here’s why the ENCRYPT Act is important
When we use our phones to send financial data to make purchases online, share secrets with our closest friends, send information to our doctors and employers, or store important personal data in the cloud, we want to trust that those communications, transactions, and data are secure regardless of where we live. Simply put, state governments’ prohibition on the ability to use encrypted technologies would erode trust in these interactions, the services our members provide, and their ability to protect valuable consumer data.
Thankfully, the ENCRYPT Act would preempt state and local governments from attempting to implement their own anti-encryption policies. Representative Ted Lieu, the ENCRYPT Act’s lead sponsor, called the potential mosaic of different encryption standards “a recipe for disaster” and a move that is “bad for law enforcement, bad for technology users, and bad for American technology companies.”
This legislation is an important step to ensure all Americans can use encrypted technologies to protect themselves and their data, regardless of where they live. The bill would help establish national protections on the interstate use of encrypted technology and protect the data that helps drive our local economies, and our app economy.
At the end of the day, we do not want to make it harder for law enforcement to solve a crime, rather we want to make encryption available to prevent cyber-crimes from happening in the first place. ACT | The App Association hopes this bill keeps a level playing field for national encryption policies led by lawmakers in Washington, and fosters a discussion between national, state, and local governments and law enforcement bodies about the myriad ways to facilitate criminal investigations without weakening the mechanisms that keep our valuable data safe.
To learn more about the ENCRYPT Act, click here.