Explaining that he’s concerned about a patchwork of diverse and sometimes contradictory laws regulating data encryption across the country, U.S. Rep. Ted Lieu (D-Calif) along with a bipartisan list of co-sponsors has introduced a bill to create standard rules.
The bill, “Ensuring National Constitutional Rights for Your Private Telecommunications,” known as the ENCRYPT Act, would prohibit states and other political entities from regulating the use of encryption.
The legislation is unusual for two reasons. First the proposed bill is brief and easy to understand and second because it doesn’t attempt to take any existing rights away from anyone. This new bill is identical to one that Lieu introduced in 2016, which never made it out of committee. This year may be different.
If the ENCRYPT Act passes and becomes law, it would prohibit the states from requiring anyone that develops products that support encryption to enable the surveillance of their products or allow the physical search of the product by any state or federal agency.
It would also prohibit any requirements that products include built-in back doors or other means of decryption. Furthermore the bill would prevent states from prohibiting the sale or use of products that use encryption or similar security technology.
That’s it. The bill is only two paragraphs long and it tells government agencies at all levels that they can’t put limits on encryption for any reason and without exceptions.
“Any discussion of encryption and law enforcement access to data needs to happen at the federal level,” explained Rep. Lieu in a statement that accompanied the bill’s introduction. “As a computer science major, I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement. Encryption exists to protect us from bad actors, and can’t be weakened without also putting every American in harm’s way.”
One of the bill’s co-sponsors, Rep. Jim Jordan (R-Ohio) made note of the uneven ground that’s currently affecting encryption. “We know federal agencies have abused warrantless surveillance in the past,” Jordan said in a prepared statement.
“The current patchwork system for encryption makes it easier for further abuses of the system and increases the problem by creating potential opportunities for abuse by third party actors. By creating a unified approach to encryption, we can protect security and privacy while allowing law enforcement to continue keeping us safe.”
What’s different this year compared to two years ago when this bill was introduced the first time is summed up by the changes in how we view privacy. Since 2016 we’ve had revelations about Facebook and Cambridge Analytica, breaches of private information, and of course, the European Union’s General Data Protection Regulation. Privacy is very much a hot button issue and this fact isn’t lost on Congress.
At the same time the previous version of the ENCRYPT Bill was introduced in 2016 another encryption bill under consideration by the Senate Intelligence Committee would have set up elaborate requirements for product developers to deploy weakened encryption and back doors to provide ready access to law enforcement.
The Senate bill produced a broad hue and cry, not to mention active opposition from the industry. But now with the nearly constant stream of news about privacy breaches, plus the greater sensitivity about privacy that comes with the EU GDPR, the mood in Congress as well as the mood of the voters, has changed.
The realities of the security landscape have made it clear that encryption is vital to companies that are trying to protect the information they’re required to keep safe. It’s also obvious to those companies that anything that weakens the encryption they use increases their exposure to liability.
And there’s another factor that was present in 2016 when the bill was introduced the first time, but which is far more visible now. That’s the risks to personal and government security by state-sponsored actors. The intelligence agencies of China, Russia, North Korea, Iran and others are working overtime to crack the private information of American companies and it gets worse on an almost daily basis.
Making matters worse is a growing movement at the state level to impose encryption limits on devices used in daily commerce, notably cell phones. The states of California and New York have been working on bills that would require devices that use encryption, such as smartphones, to have back doors accessible to state agencies. Such laws, if they took effect, could make it a crime to use a device without such a back door, meaning that you could be charged if you brought your iPhone into one of those states.
Unfortunately, New York and California aren’t the only states working their own encryption bills. If they started to become commonplace, the result would effectively be a disaster for companies that are trying to comply with rules that require them to protect private information. This is the patchwork of laws that the ENCRYPT bill seeks to prevent.
It’s hard to see how interstate digital commerce might work with one set of laws requiring encryption and another set forbidding it. Clearly, some resolution is necessary.