Illustration via Max Fleishman (Licensed)
A bill that would prevent the government from requiring tech companies to weaken their encryption to help law enforcement is stuck in committees in both houses of Congress.
The lack of movement on the Secure Data Act—S. 135 in the Senate and H.R. 726 in the House—means that legislative conversation around encryption will be dominated by a Senate bill mandating these technical weaknesses, which critics call "backdoors."
The Secure Data Act, introduced by Sen. Ron Wyden (D-Ore.) and Rep. Zoe Lofgren (D-Calif.), reads simply, "No agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency."
Wyden introduced the Senate version of Jan. 8, while Lofgren introduced the House version on Feb. 4, 2015. The Senate bill is pending before the Commerce Committee, while the House bill is pending before both the Intelligence and Judiciary committees.
"I think that the growing concerns over cybersecurity will hopefully lead to a broader debate in Congress over how to support the spread of strong encryption."
A Wyden aide said he wasn't aware of any plans to mark up the Senate bill in the Commerce Committee. But in a statement to the Daily Dot, Wyden said critics of backdoors had "made significant progress" on the public-relations front since the bill's introduction.
"When I offered the Secure Data Act as an amendment in the Intelligence Committee, last year, it got three votes," Wyden said. "Today there is growing interest both in the Senate and House for legislation to protect Americans’ security and liberty by outlawing government mandates for backdoors and other cybersecurity weaknesses."
"Strong encryption guards sensitive personal data and underpins the security of e-commerce worldwide," she said.
A spokeswoman for Senate Commerce Committee Chairman John Thune (R-S.D.) said Thune's staff was "in the process of reviewing the bill" but did not comment further.
Even if Wyden's version begins to move through the committee, the real obstacle will be in the House.
A House Judiciary Committee aide told the Daily Dot not to expect the committee to move any encryption bills before a congressional encryption working group completed its analysis of the broader topic. That group, composed of Judiciary and Energy and Commerce lawmakers including Lofgren, has given itself until the end of the 114th Congress to complete a report.
A second House aide familiar with the bill, who requested anonymity because they were not authorized to discuss its status, confirmed that there were no active discussions about advancing the legislation in the lower chamber.
Civil-liberties advocates said they hoped both houses would eventually take up the bill.
"We would love to see the Secure Data Act get more traction," Joseph Hall, chief technologist at the Center for Democracy and Technology, said in an email. "It's critically important that we put a stop to desires to backdoor technologies or mandate reductions in the security they can offer."
Mark Jaycox, civil liberties legislative lead at the Electronic Frontier Foundation, said in an email, "We think it should move forward."
Wyden and Lofgren, two of Congress's leading digital-security advocates, introduced the legislation in response to growing demands for a backdoor mandate from leading law-enforcement and intelligence officials.
As unbreakable encryption becomes more prevalent, more criminals and terrorists are using it to hide their activities. FBI Director James Comey calls this trend "going dark," and in recent years he and other top officials have pushed tech companies to design their encryption to eliminate the problem.
But according to the world's leading security experts, there is no way to safely design encryption so that a company can bypass it if presented with a warrant for user data. Any aspect of encryption intended to allow its designer to circumvent it can be discovered and exploited by hackers or foreign intelligence agencies.
For this reason, Silicon Valley and its supporters in the security and privacy communities have railed against backdoors. They argue that mandating them would not only jeopardize the security of innocent people but also push terrorists onto unreachable foreign platforms and damage U.S. companies' reputations and economic standing.
These warnings do not concern Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), who introduced the Compliance With Court Orders Act on April 13. The bill would require tech companies to provide investigators with "intelligible" data in response to lawfully issued warrants, effectively prohibiting the use of encryption that cannot be broken to decrypt user data.
Apple's use of unbreakable encryption, beginning with iOS 8 in September 2014, set it on a collision course with local police and the FBI, culminating in a high-profile clash over a dead terrorist's iPhone in a California district court.
The Justice Department got a court order requiring Apple to help bypass some of its security features to help the FBI unlock the phone. Apple appealed the order and was prepared to argue its case in a Riverside, California, courtroom, but then the government dropped its demand when a third party sold it a tool that let it access the device.
Neema Singh Guliani, a legislative counsel at the American Civil Liberties Union, said that while the Secure Data Act might not go anywhere, similar conversations were already happening.
"I think that the growing concerns over cybersecurity will hopefully lead to a broader debate in Congress over how to support the spread of strong encryption," Guliani said in an email. "We have seen the ideas in [the Secure Data Act]—i.e. the notion of safeguarding the rights of companies to use strong encryption—very much present in the debate."