Although the Federal Bureau of Investigation’s (FBI) dispute with Apple dominated the news for months this spring, the real encryption war may only now be simmering, as states battle the federal government over the right to regulate encryption.
Manufacturers encrypt products to shield consumers from hackers that want access to personal devices, vehicles, and even bank accounts. Some argue that weakened encryption would create new vulnerabilities that hackers can exploit, ultimately compromising security.
Yet, responding to encouragement by state district attorneys and the National District Attorney’s Association, representatives in California and New York have introduced bills that prohibit the sale of encrypted phones. Bills in both states would require companies to comply with court orders requested by law enforcement to decrypt phones. The California bill imposes a fine that begins in 2017 for the sale of encrypted phones, while New York’s bill warns that manufacturers may be subject to actions by the New York Attorney General and District Attorney’s offices for sale of encrypted phones.
In California, Assemblyman Jim Cooper endorses his state’s decryption mandate bill as a tool to assist law enforcement with warrants used to catch human traffickers. New York State Assemblyman, Matthew Titone, defends his proposed decryption bill, noting that “Congress has failed to act.”
However, recent proposals in the House appear responsive to the legislative movements in both New York and California. Representative Ted Lieu (D-CA), along with Representative Blake Farenthold (R-TX), have introduced a federal solution to encryption disputes, proposing the Ensuing National Constitutional Rights for Your Private Telecommunications Act, or the ENCRYPT Act of 2016. As proposed, the Act would override any state law mandating that companies decrypt their products when under court order or in compliance with law enforcement. The ENCRYPT Act would also prohibit mandated alterations to security infrastructure tailored to government surveillance of encrypted consumer devices.
Representative Lieu stated that the proposed Act grew out of concern for what he sees as a “patchwork system” of encryption requirements that could develop if every state were to create their own decryption and security vulnerability mandates. He believes, instead, that variations in state laws may create new vulnerabilities, threaten consumer privacy, and undercut innovation.
Competing initiatives in Congress might stall the creation of a federal solution to encryption. Even though Lieu and others are working to pass the ENCRYPT Act in the House of Representatives, on the other side of Congress, Senators Diane Feinstein (D-CA) and Richard Burr (R-NC) introduced legislation that would require companies to decrypt data under court orders. Yet, other senators oppose the legislation. For example, Senator Ron Wyden (D-OR) has argued that government efforts to prohibit encryption are “dangerous.”
Still, despite the seemingly disparate initiatives in both houses of Congress, industry advocates want to be able to rely on the federal government to determine a regulatory solution for encryption battles. Morgan Reed of ACT: The App Association has spoken against state regulation of encryption and has instead endorsed broader federal legislation. “Any attempts by states to regulate independently,” he said, “would be unmanageable and interfere with interstate commerce.”
The encryption war is in its early stages and as such, Congress is now gearing up to address a possible swell of battles to come. In a move that signals greater interest toward a collaborative approach, House Homeland Security Chairperson, Michael McCaul (R-TX), and Senator Mark Warner (D-VA) introduced legislation that would create the National Commission on Security and Technology Challenges. The Commission would include tech-industry executives, security experts, and law enforcement officers and would provide Congress with policy recommendations. Support for this Commission may signal Congress’ recognition that solutions to encryption fights, like the FBI-Apple dispute, will need a comprehensive approach with input from a variety of interested parties.