Senate Bill Prohibits Government-Mandated Backdoors - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
12/5/2014
02:45 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Senate Bill Prohibits Government-Mandated Backdoors

Bill represents a response to government officials who want a way to bypass encryption in technology products.

7 Important Tech Regulatory Issues In 2015
7 Important Tech Regulatory Issues In 2015
(Click image for larger view and slideshow.)

A bill introduced to the US Senate on Thursday calls for the prohibition of government-mandated backdoors or security holes in US software and hardware products.

US Senator Ron Wyden (D.-Ore.) proposed the bill, the Secure Data Act, as a way to protect Americans' data from independent and state-backed hackers, following calls from US government officials to compromise US technology products for the convenience of law enforcement.

"Strong encryption and sound computer security is the best way to keep Americans' data safe from hackers and foreign threats," said Sen. Wyden in a statement. "It is the best way to protect our constitutional rights at a time when a person's whole life can often be found on his or her smartphone."

[Will the US Senate turn to third-party cybersecurity protection? Read Senate Explores Outsourcing Security Services.]

Prompted by a series of disclosures that began last year about the scope of online data gathering by the National Security Agency and other government agencies -- revelations prompted by the government documents leaked by Edward Snowden -- technology companies have been moving to implement encryption more broadly, so their security commitments don't sound hollow. Absent credible security capabilities, cloud computing and mobile devices become too risky for many businesses and individuals.

Senator Ron Wyden (D.-Ore.)
Senator Ron Wyden (D.-Ore.)

Both Apple and Google, for example, have implemented encryption their smartphones in a way that they claim prevents them from decrypting data, even if presented with a request for access by officials.

Though authorities have other avenues for obtaining data about smartphone users and their devices -- neither Apple nor Google has said it cannot access data stored in its cloud services -- the prospect of inaccessible smartphones has alarmed the FBI.

Wyden's bill comes in response to FBI director James Comey's call for technology vendors to include a way for law enforcement to access encrypted data on vendors' devices. Comey in a speech in October argued that he is asking not for a backdoor but for a front door, without explaining the ostensible distinction between the two.

"There is a misconception that building a lawful intercept solution into a system requires a so-called 'backdoor,' one that foreign adversaries and hackers may try to exploit," said Comey. "But that isn't true. We aren't seeking a backdoor approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law."

Security experts consider any breach in electronic defenses, whether referred to as a hole, door, or by some other term, a potential vulnerability. In 1996, during a previous government push for access to encrypted data, a National Research Council report argued against backdoors, noting that the burden on intelligence gathering was outweighed by the business benefits of data security.

Wyden points to the 2005 compromise of the Greek cellphone system through a lawful interception mechanism built into Ericsson's AXE network switches as an example of the risk posed by backdoors. The 2010 hacking of Google's systems in China, which prompted the company's withdrawal from mainland China, was also facilitated by a lawful interception system.

Wyden's bill may have difficulty attracting support in the Senate. Last month, the Senate narrowly failed to advance the USA Freedom Act, a bill that would have banned the NSA's collection of phone data. And Republicans, who take control of the Senate in January, have tended to be deferential to the concerns of law enforcement authorities.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
12/12/2014 | 9:03:55 PM
Re: Clarity
The problem is that giving law enforcement the decryption key/complying with a court order is really just a form of insider attack, as Ed Felten posited a little more than a year ago on his blog; the only difference is motive.  And, of course, if you're vulnerable to this type of insider attack, you're vulnerable to other types.  Thus, taking moves like Apple has to try to make this impossible is good for security overall.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
12/12/2014 | 9:00:48 PM
Re: Clarity
Indeed, it strikes me as a worthy bill -- that seems bland enough to be able to garner enough support.  But it ultimately doesn't do much -- and that's concerning because that means there's very little real debate on this issue happening on Capitol Hill.
jries921
50%
50%
jries921,
User Rank: Ninja
12/9/2014 | 1:59:38 PM
Re: Clarity
The cops don't need special access to kick your door down, and if they do, then you know that someone (not necessarily a police officer) broke in.  To me, a front door approach means no access not available to private citizens without a warrant based on probable cause (with the usual exceptions); in other words, no special access; especially if surreptitious.  If the police want to tap someone's phone, then they should have procure a warrant, serve it on the provider, and then install, maintain, and operate the equipment themselves (at taxpayer expense) without any further need for cooperation from the provider.  And once the court ordered data have been procured and no more orders are likely to be forthcoming, the equipment should be removed.  And I actually am comfortable with the recipient of a search warrant being required to cooperate fully with the search, even to the extent of providing the keys needed to decrypt sought after data as again, he knows he's being searched and he can change the keys when the cops leave (but I'm not comfortable with luggage locks the TSA knows how to pick; I'd rather not lock my luggage at all, if that's the only other choice).  It also means that it should be *illegal* for custodians of the data and property of others to voluntarily surrender them to government officials without a warrant, unless it would be legal to grant such access to private citizens (and there should be no limits on liability in such cases).  But while special access approaches may sometimes be necessary, they should be rare, and avoided if at all possible; and should only be accessible by court order.

The assumption should be that if the police can do something, others will be able to, legally or not; and that there will always be some police officers and other government officials and agents who will abuse their authority, even if the vast majority of their peers are paragons of virtue.  The purpose of the Fourth Amendment is not to prevent a totalitarian state (such states feel free to ignore legal requirements whenever they find them inconvenient) and it's not to protect "criminals"; rather, the purpose is to prevent abuse of authority; and to protect people from intrusion and/or harassment when there is no logical reason to believe they have broken the law.

 
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Ninja
12/9/2014 | 9:16:06 AM
Re: Clarity
I applaud your excellent analogy to keys, but it falls short in one area - police can, with a warrant, break down a door or cut/pick a lock, thereby granting them access. The "frontdoor" approach (whatever that means) is supposed to give them that access. However, I agree with all the other posters that this is just more grandstanding and empty platitudes as the bill doesn't have any real teeth.
DWilson.IA
50%
50%
DWilson.IA,
User Rank: Apprentice
12/8/2014 | 1:17:19 PM
Re: Clarity
Did you see the the movie, "Wag the dog"? 

 
jries921
50%
50%
jries921,
User Rank: Ninja
12/8/2014 | 10:09:26 AM
Re: Clarity
It might be grandstanding, but I think the principle is correct: courts issue search warrants on probable cause, but people are not required to give the police keys to their homes, offices, automobiles, or storage units; nor has anyone seriously suggested such a mandate; and a mandate that all locks be pickable by the police would be laughed out of any legislature in the country.  And Sen. Wyden is correct that special access for the police is highly unlikely to be limited to the police; and it's even more unlikely that the police will never abuse the privilege.  It therefore seems to me that special access be granted *very* reluctantly, if at all.

 
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
12/8/2014 | 6:45:06 AM
Re: Clarity
This sounds more like grandstanding about commonly held beliefs and paranoia rather than something that is truly geared toward the common good. It sounds like an important bill for the betterment of all in our society, but it doesn't have much in the way of teeth or requirement. My concern is much higher regarding non-US made equipment where there may be a state sponsoring back doors.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
12/6/2014 | 6:27:31 AM
Re: Clarity
The bill (which is an easy read at about a page and a half) wouldn't really close a lot of backdoors anyway.  All it looks like it would do, as it stands now, is prevent government agencies from mandating backdoors or release of information in the future.  Frequently, however, as Snowden showed us, it's not mandated; it's either coaxed or coerced, or it's just plain stolen.

What's more, the bill could potentially not cover certain industrial control system devices not sold to the general public.

And the whole thing doesn't apply anyway where mandates under the Communications Assistance for Law Enforcement Act are concerned.
micjustin33
50%
50%
micjustin33,
User Rank: Strategist
12/6/2014 | 2:26:32 AM
Re: Clarity
I see where the senator is trying to help. But it's not like there's a list of back doors the public has that we can close with a bill. How would really know if the back doors were takin care of? This seems like a ploy to get us distracted
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
12/6/2014 | 1:04:14 AM
Clarity
The problem with Comey's comments are that in the past, there has not been transparency or clarity. And while I can appreciate his efforts to try to bring that to investigative practices, there are still going to be many who feel intrusive practices will still exist no matter what the government publicly says. 
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll