Lindsey Graham and Tom Cotton want to destroy the Internet

The new bill, called the Lawful Access to Encrypted Data Act, essentially outlaws end to end encryption that does not feature a back door, which means it outlaws any secure encryption at all.

It is not possible to create a secure encryption scheme that includes a back door. The existence of the back door means the existence of some sort of master key that will inevitably be leaked and misused. Insisting “but we’ll require a warrant” is cold comfort in light of that, and never mind that the whole warrant process for surveillance has been shown repeatedly to be rife with abuse itself.

This isn’t just about encrypted communication in WhatsApp. This touches every financial transaction online — every payroll deposit, every mortgage payment, every credit card charge. All of these things use secure encryption. And all of them will be made materially weaker and far, far easy to compromise by this bill.

Ars lays it out:

Encryption doesn’t work that way

Providing the sort of backdoor Graham and company keep asking for means, among other things, providing the service provider itself access to “encrypted” data. This, in turn, opens that provider’s customers up to privacy violations from the service provider—or rogue employees of the service provider—themselves, which in turn would break much of the security model of modern cloud services. This would gravely impact not only end consumer privacy but enterprise business security as well.

In recent years, large cloud providers such as Amazon, Microsoft, and Google have made big and successful pushes to convince large businesses to host increasingly confidential business data in their data centers. This is only feasible because of secure encryption using keys inaccessible to the cloud provider itself. Without provider-opaque encryption, those businesses would return to storing critically confidential data only in self-managed and controlled private data centers—increasing cost and decreasing scalability for those businesses.

This, of course, only scratches the surface of the true impact of such a misguided effort. Secure encryption is an already widely available technology, and it doesn’t require massive infrastructure to implement. There is no reason to assume that the very terrorists Graham, Cotton, and Blackburn invoke wouldn’t simply revert to privately managed software without holes poked in it were such a bill to pass.

There’s also no reason to assume that the service providers themselves would be the only ones able to access the critical loopholes LAEDA would require. It’s difficult to imagine that such vulnerabilities would not rapidly become widely known and be exploited by garden-variety criminals, foreign and domestic business espionage units, and foreign nations.

The advocacy group Fight for the Future issued the following statement (also in the Ars article):

Politicians who don’t understand how technology works need to stop introducing legislation like this. It’s embarrassing at this point. Encryption protects our hospitals, airports, and the water treatment facilities our children drink from. Security experts have warned over and over again that weakening encryption or installing back doors will make everyone less safe, not more safe. Full stop. Lawmakers need to reject the Lawful Access to Encrypted Data act along with the EARN IT act. These bills would enable mass government surveillance while doing nothing to make children, or anyone else, any safer.

Comments are closed.