A number of US Representatives introduced the Secure Data Act today, bipartisan legislation aimed at preventing the government from forcing backdoors into encrypted products and services. The act was introduced by Representatives Zoe Lofgren (D-CA) and Thomas Massie (R-KY) and was cosponsored by Jerrold Nadler (D-NY), Ted Poe (R-TX) and Matt Gaetz (R-FL). "Encryption backdoors put the privacy and security of everyone using these compromised products at risk," Lofgren said in a statement. "It is troubling that law enforcement agencies appear to be more interested in compelling US companies to weaken their product security than using already available technological solutions to gain access to encrypted devices and services."
While similar to previous legislation proposed by Lofgren, the act's introduction stems from a Department of Justice report that concluded the FBI didn't do everything it could to access the San Bernardino shooter's iPhone in 2016 before resorting to a court order. At the time, Apple refused to unlock Syed Rizwan Farook's phone, saying that the agency's request was unconstitutional, so the FBI then petitioned for a court order. But before anything went down in a courtroom, the FBI used an outside vendor to crack the phone and the DOJ's report found that such a solution could have been reached much earlier in the process if communication had been more effective throughout the agency. In her announcement of the bill today, Lofgren said those events and subsequent report suggested the "FBI preferred obtaining a precedent-setting court judgement compelling Apple to weaken their product encryption."
The proposed legislation states that, "No agency may mandate or request that a manufacturer, developer or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product by any agency." It notes one exception, which would be any mandates, requests or court orders that fall under the Communications Assistance for Law Enforcement Act. Additionally, the bill says no court can issue an order to compel changes to security functions in order to allow surveillance by a government agency.
Earlier this year, FBI Director Christopher Wray, speaking at a cybersecurity conference, said that the agency wasn't able to access the content of 7,775 devices during the previous fiscal year, calling encryption a "major public safety issue." In March, reports surfaced that the DOJ and the FBI were meeting with security researchers, seeking ways to crack encrypted devices.
"Congress must act to protect the products available to Americans that keep their personal information safe from warrantless surveillance and hackers intent on breaching their data," said Lofgren.