The FBI had better start polishing up its “front door” pitch because Sen. Ron Wyden is pitching legislation that would prevent it from crafting its own backdoors.
The Secure Data Act will prohibit Federal agencies from requiring that private entities design or alter their commercial information technology products for the purpose of facilitating government surveillance.
Wyden’s one-page summary of the bill [pdf link] notes that FBI Director James Comey’s ongoing push to create some sort of “law enforcement only” security holes in Apple and Google’s on-by-default encryption undermines the government’s push for better personal and professional security as well as does further damage to the limited amount of trust remaining in the wake of the Snowden leaks and increasing evidence of law enforcement overreach.
U.S. government and independent experts have extensively documented the multi-billion dollar threat posed by constant cyberattacks from criminal organizations and foreign government-sponsored hackers. The U.S. government also urges private companies and individuals to protect sensitive personal and business data, including through the use of data security technologies such as encryption. The recent proposals from U.S. law enforcement officials to undercut the development and deployment of strong data security technologies by compelling companies to build backdoors in the security features of their products work against the overwhelming economic and national security interest in better data security.
Moreover, the decision of government officials to repeatedly misled the American public about domestic surveillance activities has resulted in an erosion of public trust. Requiring computer hardware and software companies to now create intentional gaps in their data security products to facilitate further government access to personal data will undermine the effort to restore trust in the U.S. digital economy.
Government-driven technology mandates to weaken data security for the purpose of aiding government investigations would compromise national security, economic security and personal privacy.
Here’s the actual wording of the backdoor ban [pdf link], which has a couple of loopholes in it.
(a) IN GENERAL.—Except as provided in subsection (b), no agency may mandate that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.
Subsection (b) presents the first loophole, naming the very act that Comey is pursuing to have amended in his agency’s favor.
(b) EXCEPTION.—Subsection (a) shall not apply to mandates authorized under the Communications Assistance for Law Enforcement Act (47 U.S.C. 1001 et seq.).
Comey wants to alter CALEA or, failing that, get a few legislators to run some sort of encryption-targeting legislation up the Congressional flagpole for him. Wyden’s bill won’t thwart these efforts and it does leave the NSA free to continue with its pre-existing homebrewed backdoor efforts — the kind that don’t require mandates because they’re performed off-site without the manufacturer’s knowledge.
This still in early draft form and will likely be finessed as it heads towards becoming a finished product, hopefully addressing a few of these issues on the way. If nothing else, it sends yet another message to James Comey and like-minded law enforcement officials that there’s a whole bunch of legislators waiting to thwart their pushes for instant, permanent access to the American public’s cellphones.