Major American tech companies on Tuesday slammed a Senate bill that would require them to design their products' encryption so they could bypass it when served with warrants for user data.
“Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences,” Reform Government Surveillance, whose members include Apple, Facebook, Google, Microsoft, Twitter, and Yahoo, wrote in a letter to the bill's cosponsors, Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.)
Burr and Feinstein's bill, introduced on April 13, would require tech companies to provide investigators with encrypted user data in an “intelligible” format and provide any “technical assistance” necessary to help authorities read that data.
“This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access,” read the letter, also signed by the Computer and Communications Industry Association, the Internet Infrastructure Coalition, and the Entertainment Software Association. “This access could, in turn, be exploited by bad actors.”
“No accessibility requirement can be limited to U.S. law enforcement. Once it is required by the U.S., other governments will surely follow.”
Tech companies, security experts, and civil-liberties groups have been waging a decades-long battle with senior law-enforcement and intelligence officials over the nature of encryption.
Police and spies, concerned that unbreakable encryption aids criminals and terrorists, have pushed Congress to require companies to design their encryption to be breakable. But Silicon Valley executives, leading cryptographers, and civil-society organizations have resisted this push, arguing that so-called “backdoors” in encryption would weaken security for everyone and push customers onto unregulatable foreign-made platforms.
Apple and the Justice Department recently tussled in court and in the news media over access to a dead terrorist's locked iPhone, shedding new light on the judiciary's role in encryption disputes. Although the government dropped its request for a court order compelling Apple's assistance in that case, it is making the same demand in other courts across the country.
Reform Government Surveillance's opposition to the Burr–Feinstein bill is notable, because its member companies have yet to comment independently on the draft legislation.
The RGS letter noted another concern of security and privacy advocates: That a U.S. backdoor mandate might prompt repressive regimes to step up their demands of tech companies operating within their borders.
“No accessibility requirement can be limited to U.S. law enforcement,” the groups wrote to Burr and Feinstein. “Once it is required by the U.S., other governments will surely follow.”
Apple, Google, and other American firms began adding stronger encryption to their products and services in the wake of the 2013 Edward Snowden leaks about U.S. mass surveillance programs. They feared reputation damage for appearing to be complicit in far-reaching government spying. Now they are concerned that the U.S. government's response to their encryption improvements—a backdoor mandate—will again damage their reputations by forcing them to reverse their advances.
“Efforts to prioritize one type of security over all others,” the tech groups wrote, would create “unintended, negative consequences for the safety of our networks and our customers.”