Problem solve Get help with specific problems with your technologies, process and projects.

How encryption legislation could affect enterprises

The legal battle between the FBI and Apple brought encryption legislation into the public eye, for better or worse. Expert Mike Chapple discusses the effect of this on enterprises.

The legal battle between the FBI and Apple in spring 2016 brought encryption into the public spotlight in a major...

way for the first time. While cybersecurity and law enforcement professionals have long debated issues over key escrow and access to encrypted information, these debates were never part of the greater public discourse until now. Although the FBI dropped its request for access to the phone in the San Bernardino case, that tactical move merely kicked the can down the road.

In the wake of the FBI's attempt to access the San Bernardino iPhone, legislatures at the federal and state level have all threatened to take up the issue, with legislators introducing bills that seek to address this challenge. It's likely that we will continue to see more wrangling over encryption legislation issues in 2016.

Federal encryption legislation

In the midst of the FBI-Apple dispute, the U.S. House of Representatives announced the formation of a bipartisan encryption working group. Composed of four Democrat and four Republican members of Congress, the committee will dive in deeply and examine the issue facing Congress. The stated purpose of the group is to "work toward finding solutions that allow law enforcement agencies to fulfill their responsibility without harming the competitiveness of the U.S. technology sector or the privacy and security that encryption provides for U.S. citizens."

Decisions made by nontechnical legislators will have a lasting impact on security technology for years to come.

In the Senate, Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.) recently introduced the Compliance with Court Orders Act of 2016. This bill, widely criticized by the technology community, would require that any organization provide decrypted data in any case where "such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided by the covered entity or by a third party on behalf of the covered entity."

If passed, this bill would effectively require any company providing encryption technology to build a backdoor into the product that allows them to comply with government requests. Those requests may come from "the Government of the United States and the government of the District of Columbia, or any commonwealth, territory, or possession of the United States, of an Indian tribe, or of any State or political subdivision thereof."

While undoubtedly well-intentioned, a law of this nature is likely to have a devastating effect on cybersecurity. There is, for example, no key escrow technology that is widely accepted by cybersecurity professionals as a secure way to ensure that access only takes place pursuant to a legitimate court order. Additionally, the inclusion of backdoors in every encryption product available would likely lead to unauthorized individuals discovering and exploiting those backdoors for nefarious purposes.

Preempting the states

The federal government isn't the only arena where officials are threatening action with encryption legislation. Legislatures in California and New York are considering bills that would require any smartphone sold in those states to include capabilities that allow the manufacturer to decrypt information stored on the devices. Manufacturers that fail to comply with the encryption legislation would face significant fines for each noncompliant device sold in those states.

For technology companies, perhaps the only thing worse than the federal government requiring backdoors is a patchwork of 50 different state laws each containing different requirements. Federal lawmakers are also pushing proposed legislation that would use the interstate commerce provisions of federal law to preempt state laws on this matter and reserve the regulation of encryption technology as the domain of the federal government.

Security professionals and technology companies will certainly watch developments in the encryption legislation space carefully over the coming months. Decisions made by nontechnical legislators will have a lasting impact on security technology for years to come.

Next Steps

Learn more about the data privacy issues raised by the FBI-Apple fight

Find out what fueled the iPhone backdoor debate

Discover why some are concerned the FBI-Apple case may go back to court

This was last published in May 2016

Dig Deeper on Information Security Laws, Investigations and Ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about the possible encryption legislation?
Cancel
If this succeeds it means nothing else but the US is trying to take over the cyber world. It can't result in anything else but the EU regaining its souveranity by taking back control over that technology in the end, what might be an inavoidable outcome anyway. But there's more trouble ahead: As in digital world there is no proof against digital tempering but encryption, this means that all information encrypted with US technology will be suspicious of being manipulated by US government. Nobody could even trust a US digital money transfer anymore as this could be a fraud to destabilize a hostile government following good US national interest. This could blow up trust in digital economy within minutes and leave global economy in outmost despair.
Cancel
While privacy is at the heart of this country, so is security. Maybe even more so. Any battle between the two can never be won. Fortunately there is a lot of ground between YES and NO. Before bad decisions are locked into untenable laws, we still have time to find a compromise solution that works for both sides of the problem.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close