Recently, ACT | The App Association made it a priority to highlight encryption’s essential role in facilitating a safe and secure internet, a role that’s become even more vital while millions remain quarantined and reliant on remote communication technologies. This is especially the case for vulnerable communities, such as the protesters and activists involved in the Black Lives Matter fight for racial justice, who rely on encrypted communications to coordinate their activities and exercise their First Amendment rights. The App Association stands with these communities in opposition to any efforts to undermine encrypted communications and services.
It should come as no surprise, then, that the App Association was disappointed to see the recent arrival of the Lawful Access to Encrypted Data Act of 2020 (LAED Act), introduced by Senate Judiciary Chairman Lindsey Graham (R-SC) and co-sponsored by Senators Tom Cotton (R-AR) and Marsha Blackburn (R-TN). The second assault on end-to-end encryption of 2020 following the EARN IT Act (also introduced by Chairman Graham), the LAED Act ups the ante by dispensing any public policy goals outside of eradicating warrant-proof encryption in the United States.
If you’ll remember back to the introduction of the EARN IT Act, that bill was originally structured in such a way that providers of “internet computer services” would need to comply with a set of ostensibly non-binding best practices—produced by a commission overseen by the U.S. Attorney General (AG)—or else lose their liability protection under Section 230 of the Communications Decency Act. Given the current AG’s outspoken stance on encryption’s role in the investigatory process, many saw the whole arrangement as a rather oblique attempt at coercing facilitators of online communications and content to create backdoor access to encrypted data for law enforcement. Though the bill did not mention the term “encryption” once, virtually the entire technology policy community agreed that effect the bill would have on encryption was crystal clear.
The LAED Act, by contrast, forgoes polite appearances, baldly attacking a wide swath of providers, platforms, and devices that offer encrypted services. The LAED Act would effectuate a new requirement that entities must be able to respond to “technical-assistance” court orders obtained by law enforcement. Contrary to current practice, these court-ordered technical-assistance requests would require the “decrypting or decoding” of information on an electronic device, remotely stored electronic information or electronic communication, “unless the independent actions of an unaffiliated entity make it technically impossible to do so.” In other words, no longer could entities claim that they lack the technical capability to peer into their own encrypted devices or services; they would be compelled to design a backdoor to encryption ahead of time.
The bill would apply to both data at rest (think data stored on a password protected iPhone), as well as data in motion (such as encrypted text messages traversing networks), covering device manufacturers that sold 1,000,000 or more devices in the United States in 2016 or any year after. The bill would also apply to operating system providers, remote computing services providers, and wire or electronic communications providers who had 1,000,000 or more users in 2016 or any year after. This would pull in an enormous cross-section of the internet ecosystem, covering everyone from large device manufacturers like Apple to any chat app in app stores with a usership (doing some quick math here) representing more than 0.3 percent of the country’s population.
Like its predecessor, LAED earned (heh) harsh rebukes from technology policy onlookers across the board, and it is truly hard to see what constituency this bill serves, other than an aggressively anti-encryption AG’s office. Strong encryption is a First Amendment prerogative, vital to securing our critical infrastructure, and key to maintaining trust in the remote communications technologies currently keeping our economy afloat. As we, and many others, have repeatedly pointed out, the government’s approach to catching criminals on the internet shouldn’t create a backdoor that will inevitably foster even more criminality. Moreover, at a time when our communities are debating the appropriate role and scale of policing in our everyday lives, a bill giving law enforcement virtually unlimited powers to snoop on otherwise protected information and conversations is especially tone-deaf and counterproductive.
Before we get too worked up about the LAED Act though, it is important to assess the possibility that this bill is merely a cynical attempt at shifting the Overton window on ludicrous encryption bills, so as to make EARN IT more palatable by comparison. Indeed, since the introduction of the LAED Act, EARN IT has been amended to appear less directly confrontational toward encryption, even though the revisions simply toss it to the states to decide whether use of encryption should lead to a loss of liability protection. Certainly, we aren’t the first to ponder whether the LAED Act is simply an effort in misdirection, as the reasoning behind such a maneuver would make intuitive sense. With the current make-up of the House, LAED’s egregious overreach is exceedingly likely to be rebuffed there. However, now that the EARN IT Act has been perfumed with a whiff of reasonability on encryption, members may view it as a compromise to an admittedly devilish conundrum. Our message to Congress on this point is clear: don’t fall for it. Though LAED is assuming the role of most rotten piece of legislation on the Hill for now, EARN IT remains just as insidious an attempt to create a backdoor to encryption as it was a month ago.