By now you are likely aware of Apple’s ongoing battle with the Justice Department over the scope of the All Writs Act and its resistance of a federal court’s order compelling Apple to create special software that would unlock the iPhone used by Syed Rizwan Farook, one of the assailants in a mass shooting in San Bernardino, California. If you haven’t kept up with the story, an excellent walk through of where things stand may be found here.
Apple’s case is generating a great deal of public debate over the amount of privacy a person may come to expect when using their phone and the scope to which the government may intrude on that privacy. This debate, however, only scratches the surface of the ongoing encryption battle being waged in the United States.
In January 2016, California assembly member Jim Cooper (D-Elk Grove) introduced Assembly Bill (AB) 1681. Generally, the bill
“would require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider.”
New York has followed suit, with its senate introducing legislation parroting AB 1681 last week.
This is a big deal. Were legislation like this to pass it would equate to a ban in both states on nearly all iPhones and many devices that run Google’s Android operating system, because phones currently running both operating systems are not capable of decryption, even by the manufacturers. Imagine having to drive to another state (or country) in order to buy an iPhone because the state you live in bans the sale of encrypted devices.
So, why is the legislation being introduced? Well, AB 1681 is likely a reaction to the recent efforts of various technology companies to avoid disclosure of user data in all but the most limited circumstances. Many government officials believe that the privacy protections afforded to the public through the encryption of data are outweighed by the potential national security and public safety risks that arise when people have the ability to be truly anonymous.
Such concerns are not without merit. Encryption technology is advancing by the day and is being accompanied by the growing refusal of certain technology companies to assist the government in its data collection efforts – potentially a reaction to the public spotlight shone on such efforts by the Washington Post’s exposé on the PRISM program. In 2013, the Washington Post published an article alleging that the National Security Agency and the FBI were “tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chat, photographs, e-mails, documents, and connection logs” through a program code-named PRISM. These companies included Apple, Google, Microsoft, and Facebook.
Since that time, many of these companies have taken a hard line stance on data encryption and protection, often fighting over disclosure in circumstances that may otherwise seem harmless in an effort to avoiding setting a far-reaching disclosure precedent. A good example of this is the recent case in which Apple informed a widow that she would need to obtain a court order before it would surrender her deceased husband’s Apple ID password.
Indeed, Apple has been leading the fight against disclosure. In 2013, Apple announced that the popular iMessage and FaceTime features on their iPhones, iPads, and computers were protected with end-to-end encryption that no one but the sender and receiver could see and that Apple could not decrypt the data. Google has made similar claims, while Facebook provided in a press release that:
“We aggressively protect our users’ data when confronted with such requests: we frequently reject such requests outright, or require the government to substantially scale down its requests, or simply give the government much less data than it has requested.”
Whether AB 1681 will become law remains to be seen. However, at least two members of the U.S. Congress are hoping to ensure that legislation like it cannot be introduced in the future. On February 10, 2016, Rep. Ted Lieu (D-CA) and Rep. Blake Farenthold (R-TX) introduced a bill called the ENCRYPT Act of 2016, short for the Ensuring National Constitutional Rights of Your Private Telecommunications Act. “The act would deny states the power to block the sale of encrypted smartphones or require that manufacturers equip their phones with a back door to access private data.” According to an e-mail Lieu sent to CNET.com, the introduction of the bill was necessary to avoid “having 50 states with 50 different encryption back doors standards or bans” which he sees as “recipe for disaster for American privacy and competitiveness.”
Introduction of the proposed ENCRYPT Act of 2016 is not likely to be the only step taken by Congress. Sen. Dianne Feinstein (D-CA) and Sen. Richard Burr (R-NC) have both vowed to bring a bill imposing limits on encrypted devices. Regardless of the outcome of any of these bills, there can be no question that the encryption debate is not ending any time soon.
Matt Haynes,matthew.haynes@leclairryan.com