Policy —

House bill would kill state, local bills that aim to weaken smartphone crypto

Bipartisan legislation likely to be thorn in law enforcement's "Going Dark" side.

House bill would kill state, local bills that aim to weaken smartphone crypto

On Wednesday, Rep. Ted Lieu (D-Calif.) and Rep. Blake Farenthold (R-Tex.) introduced a new bill in Congress that attempts to halt state-level efforts that would weaken encryption.

The federal bill comes just weeks after two nearly identical state bills in New York state and California proposed to ban the sale of modern smartphones equipped with strong crypto that cannot be unlocked by the manufacturer. If the state bills are signed into law, current iPhone and Android phones would need to be substantially redesigned for those two states.

Lieu and Farenthold’s federal bill would need to pass both the House of Representatives and the Senate as well as be signed by the president in order to take effect. If that happens before the state bills are enacted, it would pre-empt them.

Lieu told Ars late Tuesday night by phone that the introduction of those two state bills got his attention, especially the one in his home state.

"When the New York state legislator introduced the bill, I was somewhat concerned—but he was a Republican in a Democratic legislature," he said. "But when a Democratic state legislator introduced a similar bill then I got very concerned. I'm very aware that it's controlled by Democrats, and he could very easily get his bill passed."

Lieu, himself a former California state senator, noted that while he respects his law enforcement colleagues and their interest in solving crimes, recent events solidify his argument.

"It's very clear to me that the people who are asking for a backdoor encryption key do not understand the technology," he added. "You cannot have a backdoor key for the FBI. Either hackers will find that key or the FBI will let it get stolen. As you saw, it the [Department of Justice] just got hacked. The [Office of Personnel Management] got hacked multiple times. If our federal government cannot keep 20 million extremely sensitive security records, I don't see how our government can keep encryption keys safe."

Short and sweet

The "Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016" ("ENCRYPT Act") reads, in its entirety, as follows:

A State or political subdivision of a State may not mandate or request that a manufacturer, developer, seller, or provider of covered products or services—

(1) design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency or instrumentality of a State, a political subdivision of a State, or the United States; or

(2) have the ability to decrypt or otherwise render intelligible information that is encrypted or otherwise rendered unintelligible using its product or service.

Privacy advocates largely applauded the new bill.

"I think we have lawmakers at both the state and federal levels who are listening to the experts when they say that it's not possible to force providers and manufacturers to provide access to encrypted data without simultaneously undermining encryption," Andrew Crocker, an attorney at the Electronic Frontier Foundation, told Ars.

"We also have lawmakers who are instead proposing vague and/or ineffective ‘solutions’ to that fundamental concern. That's really the sum of these Crypto Wars: The ‘pro encryption’ side has the weight of technical and policy expertise. The ‘anti’ side repeats that it can be done without saying how."

Similarly, Ross Schulman, the co-director of New America's Cybersecurity Initiative, concurred.

"The fact that a prominent member of Congress is introducing a bill specifically announcing support for unburdened encryption shows that there are people from all over the government that understand the vital role that encryption plays in our everyday business and personal communication," he e-mailed.

However, others don't feel that the bill's language goes far enough.

"While Rep. Lieu's bill has noble intentions and positive application, it may not pre-empt either of the current state proposals to undermine encryption currently being discussed," Amie Stepanovich, policy manager at Access Now, e-mailed Ars. "Proposals in New York and California are aimed at preventing the sale of devices with strong encryption. Rep. Lieu's bill only mandates limits on design or alteration of devices or products."

Shining a light on "Going Dark"

Since his election in 2014, the Southern California congressman has taken a strong pro-encryption stance.

In April 2015, Lieu blasted law enforcement officials for even proposing encryption backdoors—he is just one of four House members with computer science degrees. He is also a Lieutenant Colonel in the United States Air Force Reserves and served for four years as a member of the Judge Advocate General’s Corps.

"It is clear to me that creating a pathway for decryption only for good guys is technologically stupid, you just can't do that," he said during a congressional hearing last year.

Gautam Hans, an attorney with the Center for Democracy & Technology, told Ars that this background could be crucial to getting this bill passed.

"He's one of the few legislators with a CS degree, and therefore this bill is one of the few to be informed by actual substantive experience, as opposed to much of the backdoor rhetoric we've heard that betrays a deep lack of understanding of the math and the technology underlying encryption," he e-mailed.

For its part, law enforcement has strongly lobbied for more access to combat the "Going Dark" problem.

In a 57-page report released in 2015, the International Association of Chiefs of Police (IACP) wrote:

To be clear, the law enforcement community is not asking for new surveillance authorities above and beyond what is currently provided by the U.S. Constitution or by lawful court orders, nor are we attempting to access or monitor the electronic communications of all citizens. Law enforcement simply needs to be able to lawfully access information that has been duly authorized by a court in the limited circumstances prescribed in specific court orders—information of potentially significant consequence for investigations or serious crimes and terrorism.

FBI Director James Comey has also particularly been forceful on this issue: he told Congress last year: "the Department of Justice believes that the challenges posed by the Going Dark problem are grave, growing, and extremely complex."

Neither of the New York or California state lawmakers responded to Ars' request for comment, nor did the IACP.

Christopher Allen, an FBI spokesman, told Ars on Tuesday that the agency does not comment on pending legislation, referring us instead to Comey's previous statements.

"I don't fault them—they want as many tools as they can to catch the bad guys," Lieu concluded. "But the tool that they want is just not technologically feasible."

Channel Ars Technica