Encryption Debates in Congress

There are a variety of government actors that play key roles in debates around encryption and consumer privacy. As noted earlier, Congress has periodically taken up efforts to enact encryption legislation since the 1990s. Most of these initiatives have involved attempts to restrict or undermine the use of strong encryption. For example, in response to events like the terrorist attacks in San Bernardino, California in 2016, and at a Naval air station in Pensacola, Florida in 2019, law enforcement has asserted that encrypted mobile devices are a significant barrier to their investigations. Opponents have also characterized encrypted messaging as a tool used by criminals and drug cartels to coordinate violent activities.¹ Based on these assertions, various members of Congress have introduced bills seeking to restrict encryption, with the two most recent being the Law Enforcement Access to Encrypted Data Act of 2020, and the EARN IT Act of 2020, both introduced by Sen. Lindsey Graham (R-S.C.).

The Law Enforcement Access to Encrypted Data Act attempts to force companies to proactively design vulnerabilities in their products, so that they are always able to provide user information to law enforcement. The bill applies to both stored data and data in motion, and is more comprehensive than previous legislative attempts to restrict encryption for a few reasons. First, the bill seeks to amend a sweeping range of law enforcement and surveillance authorities. Second, it would apply to a much broader scope of targets, including nearly every device that includes at least one gigabyte of storage capacity, which would include cell phones and laptops, but probably also Internet of Things devices, gaming consoles, and maybe even voting machines.² It also targets all encrypted messaging services. Further, the bill would provide two mechanisms to undermine encryption—companies with over 1 million U.S. users would be required to proactively design backdoors, and companies with fewer than 1 million U.S. users could be issued an assistance capability directive by the Attorney General, which would require them to build a backdoor on request. By definition, if companies must retain the ability to decrypt information for law enforcement, it is not technically possible for them to implement fully end-to-end encryption, so this bill would effectively result in a ban on the use of strong encryption by companies.

The EARN IT Act of 2020 is unlike previous legislative attacks on encryption.³ It is focused specifically on one type of criminal activity that law enforcement argues is facilitated by strong encryption—the exchange of “child sexual abuse material” or CSAM online. The problem of CSAM is extremely important to address, however the EARN IT Act is not actually well-designed to do so. There are myriad other ways to empower law enforcement to combat CSAM, including redirecting funding to support the addition of badly needed staff and helping them more effectively use current lawful investigative tools. The EARN IT Act does not directly require companies to design backdoors in their products; instead the bill uses Section 230 of the Communications Decency Act to threaten the intermediary liability protections for tech platforms or other providers that publish third-party content. Although the Senate Judiciary Committee approved a revised version that does incorporate an amendment aimed at protecting encryption, the bill still poses a real threat to strong encryption. The latest version increases companies’ Section 230 liability so greatly that companies might avoid offering encryption services altogether rather than face litigation based on state CSAM laws with varying standards.⁴

It is worth noting that none of the directly anti-encryption laws have yet passed, and that the United States currently has no laws limiting the use of encryption or restricting the ability of companies to implement it, unlike other countries including Australia and the United Kingdom. Although this is an ongoing debate around the world, supporters of strong encryption in the United States have, so far, managed to prevent any dangerous legislation from passing.

Some members of Congress have also sought to enact legislation that would protect and promote strong encryption. Pro-encryption proposals have ranged from the Security and Freedom Through Encryption (SAFE) Act of 1996, which garnered sponsorship from the majority of the members of the House of Representatives and aimed “to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption,” to the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act of 2019, which would preempt states from imposing decryption requirements on a manufacturer, developer, seller, or provider of covered products or services.

Encryption also plays a role in discussions about comprehensive consumer privacy legislation. During the event, Asad Ramzanali, legislative director for Rep. Eshoo, described the importance of including encryption in the Online Privacy Act, a bill proposed by Reps. Anna Eshoo and Zoe Lofgren (D-Calif.) as part of “a broader discussion about the role of technology companies, and technology and society, and how policy should and should not be reacting to some of the harms that we see.” Ramanzanali specifically addressed the relationship between policy on encryption and the current “techlash,” as well as heightened scrutiny and mistrust of the technology industry in general. As he explained, “Tech can do a lot of good. But when people stop to trust it, it becomes problematic, And so that's where encryption, to us, also plays an important role.”

A crucial component of many companies’ moves to default encryption at rest and end-to-end encrypted messaging is that these protocols also prevent companies themselves from accessing user data. Quay-de la Vallee framed the privacy dynamic as “if you want to live in this world, you're going to cede control to entities that you don't necessarily trust… the whole concept of end-to-end encryption is essentially that I don't have to trust that WhatsApp isn't going to look at my messages. I don't have to trust that they're going to do the right thing and not go snooping. I just know that they can't.” Legislation to protect and promote strong encryption would help safeguard private data, from both companies and other actors, while allowing users to benefit from technology that is crucial to the way we live and work.