The US state of California has joined New York in considering legislation that will require technology companies to give law enforcement agencies back-door access to devices and decryption capabilities.
Introduced by California assemblyman Jim Cooper, the bill also aims to require all smartphones sold in the state after 1 January 2017 to be “capable of being decrypted and unlocked by its manufacturer or its operating system provider”.
The measure appears to be targeting human trafficking rather than terrorism, which is reportedly the aim of the New York bill.
If the bills are passed, anyone in either state who sells or leases a smartphone that fails to comply will face a fine of $2,500 per device.
The bills appear to be at odds with the US federal government’s approach, and have also drawn criticism from technology firms and businesses that use encryption to ensure the protection of sensitive data, such as legal firms, charities and health service providers.
“The proposals are impractical for organisations that rely on keeping data confidential,” said Michael Ginsberg, chief executive of encryption services provider Echoworx.
“If passed, these bills could lead to the ridiculous situation that businesses in New York and California that rely on encryption will have to buy or lease their smartphones from suppliers based in other states,” he told Computer Weekly.
The bills are also bound to draw opposition from big tech companies like Apple, whose latest smartphones enable encryption by default.
Apple, alongside Google, Microsoft, Intel and Facebook, is a member of the Information Technology Industry Council (ITI), which told US president Barack Obama in November 2015 in an open letter that it opposes “any policy actions or measures” by the government that would undermine encryption technologies.
“Encryption is a security tool we rely on everyday to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks, and to otherwise preserve our security and safety,” said ITI president and chief executive Dean Garfield.
The group, along with many security industry experts, is opposed to weakening encryption privacy protections for everyone just to enable easier access to electronic communications by law enforcement and security officers.
“We deeply appreciate law enforcement’s and the national security community’s work to protect us, but weakening encryption or creating back doors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys,” said Garfield.
By assemblyman Cooper’s own admission, 99% of Californians would never have their phones implicated in a law enforcement operation, reports Ars Technica, yet critics have pointed out that his bill would make everyone in the state more vulnerable to hackers.
“For the industry to say it’s privacy – it really doesn’t hold any water. We’re going after human traffickers and people who are doing bad and evil things. Human trafficking trumps privacy, no ifs, ands or buts about it,” Cooper is quoted as saying.
The bills have yet to be voted on by the state assemblies and senates, but are unlikely to get any support from the federal government.
In March 2015, president Obama criticised China over a proposed counter-terrorism law that would require technology firms that want to trade in China to share their encryption keys and put security back doors in their software.
In a joint submission to the Joint Committee on the draft UK Investigatory Powers Bill, Facebook, Google, Microsoft, Twitter and Yahoo have called for greater clarity on encryption, saying it is a fundamental security tool that is important to the security of the digital economy – as well as crucial to the safety of web users worldwide.
The submission asserted: “We reject any proposals that would require companies to deliberately weaken the security of their products via back doors, forced decryption or any other means. We therefore have concerns that the bill includes ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’, and that these are explicitly intended to apply extraterritoriality with limited protections for overseas providers.”
National security needs encryption
Indeed, security experts have come out in support of the Dutch government’s view that strong encryption is essential to the security of the country.
The Netherlands will not follow the trend of weakening encryption for security purposes, according to a statement by the Dutch security and justice minister Ard van der Steur in January 2016.
The Dutch executive cabinet endorses the “importance of strong encryption for internet security to support the protection of privacy for citizens, companies, the government and the entire Dutch economy”, he wrote.