Categories
Actions

Internet Society Open Letter Against Lawful Access to Encrypted Data Act

Strong encryption is vital for national security, the economy, personal security and safety, individual liberty, and free expression.

July 7, 2020

The Honorable Lindsey Graham
Chairman, Senate Committee on the Judiciary

The Honorable Marsha Blackburn
Senate Committee on the Judiciary

The Honorable Tom Cotton
Senate Committee on the Judiciary

Dear Senators Graham, Blackburn, and Cotton:

The undersigned organizations and security experts from civil society, industry and academia express our strong opposition to the Lawful Access to Encrypted Data Act, S. 4051. The bill’s language as drafted is seriously flawed and could endanger public and national security.

The bill would expose millions of Americans—and people around the world who use American products and services—to substantially higher risk from malicious cyber actors, including hostile states and cyber criminals. This bill would require companies to build encryption backdoors. In some cases this would be by default. In others, backdoors would be linked to nine new or expanded requirements for companies or people to comply with government demands for “technical assistance” in law enforcement investigations. The definitions of “technical assistance” explicitly include “decrypting” information. Thus the bill’s requirements are so broad that it would effectively force recipients to build and maintain encryption backdoors to provide the data when requested. Such requirements would seriously weaken security; as highlighted by experts, including former senior national security and law enforcement officials, in the Carnegie Endowment for International Peace’s 2019 report Moving the Encryption Policy Conversation Forward.

The bill’s flawed premise is evident in its findings. As currently written, it states that strong encryption is dangerous and it facilitates “criminal activity,” without acknowledging that end-to-end encryption protects all people and is vital to many sectors of the economy, from banking to healthcare. Further, the bill’s findings fail to recognize the magnitude of vulnerability it would create for hundreds of millions of Americans who rely on strong encryption every day of their lives, especially as the global pandemic shifts much of their lives online.

Interviews with hundreds of federal, state, and local law enforcement officials have shown that the largest barrier to law enforcement when dealing with modern communications systems is not encryption. Rather, it is an inability to leverage the data they currently have or could have access to. The intent of the Lawful Access to Encrypted Data Act may be to promote public safety, but regardless of how law enforcement or legislators attempt to require exceptional access to encrypted communications, the result is the same: it would put the safety and security of Internet users in danger at a moment when a devastating pandemic has made secure technologies more critical than ever to the everyday lives of Americans. 

In addition, this effort will threaten the widespread adoption of strong encryption, which is essential for protecting the national security of the United States and the confidentiality, integrity, and availability of important data for all persons, corporations, and other organizations, including governmental actors.

Why Encryption Matters

Strong encryption is vital for national security, the economy, personal security and safety, individual liberty, and free expression. Encryption allows individuals to freely express themselves, to exchange personal and other sensitive information, and to protect their data. This includes active duty military personnel stationed overseas, scientists, doctors and patients, attorneys, journalists, human rights workers abroad, political campaigns, corporate executives, and victims of domestic abuse and other vulnerable communities.

Strong, unfettered encryption is vital to national and personal security. Individuals, businesses, and governments—including law enforcement, national security agencies, military personnel, and government officials—use the same commercial off-the-shelf (“COTS”) encrypted services to ensure that the content of their communications is protected against outside surveillance or malicious modification. 

Encrypted services are also vital to the U.S. economy—large sectors including online banking, e-commerce, and R&D rely on trusted encrypted services. Encrypted services are even more important now, during the COVID-19 pandemic, for remote working, learning, and healthcare. Removing, weakening or disincentivizing the use of strong encryption, as this bill effectively does, would threaten our economy and sacrifice all users’ security and privacy, leaving their communications, financial transactions, health information, and other data susceptible to misuse by bad actors, including the military and intelligence services of hostile states, organized criminals, terrorist groups, domestic abusers, and malicious hackers.

Backdoors to encryption make everyone in society more vulnerable to cybersecurity threats, privacy violations, foreign government surveillance, and other risks. Any backdoor will inevitably be leaked or discovered and used by malicious actors.

A backdoor for law enforcement is a backdoor for bad actors as well. 

Conclusion

Preventing crime and keeping people safe is a universal priority—and is also the ultimate goal of the use of encryption technologies. Making everyone more vulnerable to criminals, malicious actors, and foreign intelligence services would be the unfortunate impact of passing the Lawful Access to Encrypted Data Act. It is too technically flawed to be effective, and will force companies to make their products less secure.

We support the goal of promoting public safety, but the Lawful Access to Encrypted Data Act would have the opposite effect, and it would compromise Americans’ security. Therefore, we strongly oppose this bill.

Sincerely,

Civil Society Organizations

Access Now

Advocacy for Principled Action in Government

American Civil Liberties Union (ACLU)

Center for Democracy and Technology (CDT)

Defending Rights & Dissent

Derechos Digitales

Centre for Inclusive Design

Electronic Frontier Foundation (EFF)

Fight for the Future

Global Partners Digital

Human Rights Watch

Internet Society

Internet Users Forever IKI

LGBT Technology Partnership

National Coalition Against Censorship

New America’s Open Technology Institute (OTI)

PEN America

Prostasia Foundation

Restore the Fourth

SFLC.in

Swathanthra Malayalam Computing

TechFreedom

The Tor Project

Wikimedia Foundation

World Wide Web Consortium (W3C)

Technology Companies and Trade Associations

ACT | The App Association 

Afilias

Blacknight

Reform Government Surveillance 

Ribose Inc.

Surfshark

UnlockOpen

Valimail

Security and Policy Experts*

Dr. Ben Adida, Executive Director, VotingWorks

Matt Anderson, Trust & Safety Specialist, Linode

Daniel Appelquist, co-chair of the W3C Technical Architecture Group and Director of Web Advocacy at Samsung Electronics

Anivar Aravind, Executive Director, Indic Project

John Bambenek, Bambenek Consulting LTD

Brian Behlendorf, The Linux Foundation

Steven M. Bellovin, Percy K. and Vida L.W. Professor of Computer Science and affiliate law faculty, Columbia University

Matt Bishop, Professor of Computer Science, University of California at Davis

Seth Blank, VP of Standards and New Technologies, Valimail

Nathaniel Borenstein, Chief Scientist, Mimecast

David Boskovic, Flatfile

Georgia Bullen, Executive Director, Simply Secure

Jon Callas, Senior Technology Fellow, ACLU

L. Jean Camp, Indiana University

David Chasteen, former Chief Information Security Officer of the San Francisco Police Department

Stephen Checkoway, Assistant Professor of Computer Science, Oberlin College

Tiffany Connors, Cybersecurity Engineer, Lawrence Berkeley National Laboratory

Sven Dietrich, City University of New York

Roger Dingledine, The Tor Project

Zakir Durumeric, Stanford University

David Evans, University of Virginia

Alexander Falatovich, Lead Cyber Security Threat Analyst

Alex Gouaillard, W3C AB representative for and CEO of CoSMo Software

Alex Gaynor, Alloy

Chris Grundemann, Myriad360

J. Alex Halderman, Professor of Computer Science and Engineering; Director, Center for Computer Security and Society, University of Michigan

Dr. Sven Herpig, Director for International Cybersecurity Policy, Stiftung Neue Verantwortung

Chelsea Holland Komlo, University of Waterloo

Allen Householder, Senior Vulnerability Analyst, CERT/CC, Software Engineering Institute, Carnegie Mellon University

J.C. Jones, Mozilla Corporation

Chris Kanich, University of Illinois at Chicago

Dr. Joseph Kiniry, Galois and Free & Fair

Dr. Peter Y. A. Ryan, University of Luxembourg

Petri Koistinen, Nitor

Susan Landau, Tufts University

Dave Lugo, Systems Engineer, Comcast

Art Manion, CERT/CC, Software Engineering Institute, Carnegie Mellon University

Sascha Meinrath, Director, X-Lab, Palmer Chair in Telecommunications, Penn State University

Peter G. Neumann, Chief Scientist, SRI International Computer Science Lab, and moderator of the ACM Risks Forum

Zigmund J Ozea, Senior Programmer, Zetalytics

Jon M. Peha, Carnegie Mellon University

Riana Pfefferkorn, Stanford Center for Internet and Society

Ronald Rivest, Massachusetts Institute of Technology

Bruce Schneier, Lecturer, Harvard Kennedy School

Ross Schulman, New America’s Open Technology Institute

Wendy Seltzer, Strategy Lead, World Wide Web Consortium (W3C)

Micah Sherr, Georgetown University

Adam Shostack, Shostack & Associates

Harold Solbrig, Johns Hopkins University

Eugene H. Spafford, Professor and CERIAS Emeritus Executive Director    Purdue University

Ashkan Soltani, Georgetown University

Michael Alan Specter, Massachusetts Institute of Technology

Jonathan Spring, CERT/CC, Software Engineering Institute, Carnegie Mellon University

Venkat Venkatakrishnan, Professor, UIC

Dan S. Wallach, Professor, Department of Computer Science Rice Scholar, Baker Institute for Public Policy, Rice University

Nicholas Weaver, Researcher, ICSI & Lecturer, UC Berkeley

Kenneth White, MongoDB

Daniel Zappala, Brigham Young University

Dr. Daniel M. Zimmerman, Galois and Free & Fair

Lenore D Zuck, Research Professor, University of Illinois at Chicago

*Affiliations provided for identification purposes only