How encryption legislation could affect enterprises

Federal encryption legislation

In the midst of the FBI-Apple dispute, the U.S. House of Representatives announced the formation of a bipartisan encryption working group. Composed of four Democrat and four Republican members of Congress, the committee will dive in deeply and examine the issue facing Congress. The stated purpose of the group is to "work toward finding solutions that allow law enforcement agencies to fulfill their responsibility without harming the competitiveness of the U.S. technology sector or the privacy and security that encryption provides for U.S. citizens."

Decisions made by nontechnical legislators will have a lasting impact on security technology for years to come.

In the Senate, Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.) recently introduced the Compliance with Court Orders Act of 2016. This bill, widely criticized by the technology community, would require that any organization provide decrypted data in any case where "such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided by the covered entity or by a third party on behalf of the covered entity."

If passed, this bill would effectively require any company providing encryption technology to build a backdoor into the product that allows them to comply with government requests. Those requests may come from "the Government of the United States and the government of the District of Columbia, or any commonwealth, territory, or possession of the United States, of an Indian tribe, or of any State or political subdivision thereof."

While undoubtedly well-intentioned, a law of this nature is likely to have a devastating effect on cybersecurity. There is, for example, no key escrow technology that is widely accepted by cybersecurity professionals as a secure way to ensure that access only takes place pursuant to a legitimate court order. Additionally, the inclusion of backdoors in every encryption product available would likely lead to unauthorized individuals discovering and exploiting those backdoors for nefarious purposes.

Preempting the states

The federal government isn't the only arena where officials are threatening action with encryption legislation. Legislatures in California and New York are considering bills that would require any smartphone sold in those states to include capabilities that allow the manufacturer to decrypt information stored on the devices. Manufacturers that fail to comply with the encryption legislation would face significant fines for each noncompliant device sold in those states.

For technology companies, perhaps the only thing worse than the federal government requiring backdoors is a patchwork of 50 different state laws each containing different requirements. Federal lawmakers are also pushing proposed legislation that would use the interstate commerce provisions of federal law to preempt state laws on this matter and reserve the regulation of encryption technology as the domain of the federal government.

Security professionals and technology companies will certainly watch developments in the encryption legislation space carefully over the coming months. Decisions made by nontechnical legislators will have a lasting impact on security technology for years to come.