Lance Bellers - Fotolia
How encryption legislation could affect enterprises
The legal battle between the FBI and Apple brought encryption legislation into the public eye, for better or worse. Expert Mike Chapple discusses the effect of this on enterprises.
The legal battle between the FBI and Apple in spring 2016 brought encryption into the public spotlight in a major way for the first time. While cybersecurity and law enforcement professionals have long debated issues over key escrow and access to encrypted information, these debates were never part of the greater public discourse until now. Although the FBI dropped its request for access to the phone in the San Bernardino case, that tactical move merely kicked the can down the road.
In the wake of the FBI's attempt to access the San Bernardino iPhone, legislatures at the federal and state level have all threatened to take up the issue, with legislators introducing bills that seek to address this challenge. It's likely that we will continue to see more wrangling over encryption legislation issues in 2016.
Federal encryption legislation
In the midst of the FBI-Apple dispute, the U.S. House of Representatives announced the formation of a bipartisan encryption working group. Composed of four Democrat and four Republican members of Congress, the committee will dive in deeply and examine the issue facing Congress. The stated purpose of the group is to "work toward finding solutions that allow law enforcement agencies to fulfill their responsibility without harming the competitiveness of the U.S. technology sector or the privacy and security that encryption provides for U.S. citizens."
In the Senate, Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.) recently introduced the Compliance with Court Orders Act of 2016. This bill, widely criticized by the technology community, would require that any organization provide decrypted data in any case where "such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided by the covered entity or by a third party on behalf of the covered entity."
If passed, this bill would effectively require any company providing encryption technology to build a backdoor into the product that allows them to comply with government requests. Those requests may come from "the Government of the United States and the government of the District of Columbia, or any commonwealth, territory, or possession of the United States, of an Indian tribe, or of any State or political subdivision thereof."
While undoubtedly well-intentioned, a law of this nature is likely to have a devastating effect on cybersecurity. There is, for example, no key escrow technology that is widely accepted by cybersecurity professionals as a secure way to ensure that access only takes place pursuant to a legitimate court order. Additionally, the inclusion of backdoors in every encryption product available would likely lead to unauthorized individuals discovering and exploiting those backdoors for nefarious purposes.
Preempting the states
The federal government isn't the only arena where officials are threatening action with encryption legislation. Legislatures in California and New York are considering bills that would require any smartphone sold in those states to include capabilities that allow the manufacturer to decrypt information stored on the devices. Manufacturers that fail to comply with the encryption legislation would face significant fines for each noncompliant device sold in those states.
For technology companies, perhaps the only thing worse than the federal government requiring backdoors is a patchwork of 50 different state laws each containing different requirements. Federal lawmakers are also pushing proposed legislation that would use the interstate commerce provisions of federal law to preempt state laws on this matter and reserve the regulation of encryption technology as the domain of the federal government.
Security professionals and technology companies will certainly watch developments in the encryption legislation space carefully over the coming months. Decisions made by nontechnical legislators will have a lasting impact on security technology for years to come.