Daily Dot: State encryption laws only undermine our national security
Encryption advocates and national security leaders let out a collective sigh of relief last month when the Federal Bureau of Investigation and Department of Justice abruptly withdrew the legal motion against Apple over a locked iPhone. The hastily crafted lawsuit was a risky gambit to circumvent Congress and set a dangerous legal precedent with an 18th century law to compel U.S. technology companies to undermine their own digital security.
In the aftermath of the #FBIvsApple saga, however, one thing is clear: The Crypto Wars 2.0 are just beginning, and Congress must not repeat the mistakes of the past.
This is not the first time the adoption of encryption technology has triggered a clash with government over how to adapt. During the Crypto Wars of the 1990s, the U.S. government sought to control the spread and strength of encryption through mandated key escrow systems, overbroad export controls and even the development of the notorious Clipper Chip to try to give the government backdoor access into electronic communications. The actions served more to drive business to non-American digital security companies and weakened U.S. national security.
But history has a short memory indeed. The issue resurfaced last year when the FBI proposed building “backdoors” into encryption technology. Congress tore apart the idea as technologically unfeasible and harmful. As a computer science major, it is clear to me that there is no technological way to create a “backdoor” only for law enforcement. Coalitions mobilized, with over 140 tech companies, technologists and civil liberties groups sending a letter to the president last May opposing efforts to weaken encryption.
We learned from the last Crypto War that poorly conceived government efforts to limit the spread and strength of encryption proved only to undermine privacy, our economy, and U.S. national security. We have already seen the costs and consequences of weak encryption: devastating cyberattacks in both our public and private sectors. That’s why the president’s own Review Group on Intelligence and Communications Technologies—a group of prominent national security experts whose 2013 report is postedon the NSA’s website—recommended that the U.S. “fully support and not undermine” strong encryption.
The security-focused arguments for undermining digital security simply do not hold water. Weaken American encryption and consumers—both good and bad actors—will simply seek their technology from companies based abroad. Weaker encryption also means weaker national security. Having served on active duty and the reserves in our armed forces, I am not willing to put at risk our national security so that some law enforcement investigations could be made easier.
Leaders in the U.S. national security establishment have already pushed back against what the FBI is proposing. As reported by the Associated Press last month, Secretary of Defense Ash Carter publicly stated that “data security is an absolute necessity for us. We're foursquare behind strong data security and encryption.” Secretary Carter publicly opposed “backdoors” and cautioned against legislation “written by people who won't have technical knowledge, maybe written in an atmosphere of anger or grief."
But the FBI isn’t alone in trying to take encryption matters into its own hands. State legislators in California and New York have now introduced bills that would effectively ban encryption on any smartphone sold in their states. If implemented, a company like Apple would have to choose between not selling its encrypted-by-default iPhones in those states or spending billions to develop alternative product lines with weaker security.
Broader state bills could encompass phone applications and cloud-based services like WhatsApp and Gmail, weakening encryption inconsistently across state lines and creating a nightmare of compliance for federal law enforcement and technology companies alike. Attempts to restrict encryption at the state or local levels would only serve to undermine security and economic competitiveness for the entire nation.
That is why I introduced the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act, along with my colleagues Reps. Blake Farenthold (R-Texas), Suzan DelBene (D-Washington), and Mike Bishop (R-Michigan). This bipartisan bill would preempt state and local governments from creating a disastrous patchwork of different encryption laws. The U.S. Constitution grants Congress the authority to regulate interstate commerce, and the ENCRYPT Act sends a clear message that the complicated issues with encryption must be addressed thoughtfully and nationally.
This bill is just the first step. Congress already has—and will continue to—address the issue with high-profile hearings, legislative proposals, and the creation of dedicated bodies to study the issue in-depth. The House Judiciary and Energy and Commerce Committees recently announced a Congressional Encryption Working Group. House Homeland Security Committee Chairman Michael McCaul and Senate Select Committee on Intelligence Member Mark Warner introduced, and I co-sponsored, legislation to create a Digital Security Commission of experts to report back with recommendations. Think tanks like the Information Technology and Innovation Foundation, New America’s Open Technology Institute, and the Wilson Center are engaging with Congress and other stakeholders on encryption issues.
The stakes in the encryption debate are high, with significant consequences for personal privacy, the U.S. private sector, and our national security. Weaker encryption standards would mean less security and more successful cyberattacks, government records downloaded by foreign adversaries, patient health records stolen by criminals, and movie studios hacked for exercising their freedom to create films about dictators. As the Crypto Wars 2.0 play out a familiar story, it is critical for Congress to address these complex issues thoughtfully and not repeat the mistakes of the past.