The Lawful Access to Encrypted Data Act wants to ban strong encryption

An illustration of law enforcement breaking through encryption.

The United States Congress is considering a law that would destroy online privacy as we know it and essentially outlaw the most secure American tech products, such as Signal. The law would ban end-to-end encryption for large companies and require developers to break their own products at the request of law enforcement agencies.

The bill is called the Lawful Access to Encrypted Data (LAED) Act, proposed by three Republican Senators on June 23.

The stated purpose of the law is to give police and security agencies the ability to quickly access information contained on a suspect’s encrypted device. The LAED Act targets all data that is encrypted, both in transit and at rest. So not only would a tech company be forced to help the FBI break into a smartphone seized from a suspect, but it would also have to build a way to let officials monitor end-to-end encrypted communications, including whoever the suspect is talking to.

This bill reopens the door to the kind of government surveillance that led us to create Proton back in 2014. Make no mistake: This bill puts the privacy and security of everyone at risk, not only suspected criminals. If a back door exists, no one is safe.

What is the Lawful Access to Encrypted Data Act?

This law would require any American company with more than 1 million users in the US to be able to decrypt its users’ data and present it to law enforcement. It would apply to operating systems, messaging apps, videoconference apps, email providers, and cloud storage apps, as well as any device that has at least 1 GB of memory. 

This bill also attacks the encryption system that keeps the entire Internet secure. The LAED Act would require a backdoor to HTTPS, the system that secures almost all websites with TLS encryption, so that law enforcement could access encrypted metadata. Without HTTPS, attackers can trace your online activity from site to site. If HTTPS were to be broken it would fundamentally alter how the Internet worked. 

How would the LAED Act work?

The LAED Act would supplement the ways law enforcement agencies get permission to access private information. Currently, if authorities want to access data at rest (such as a photo on your computer) they need a search warrant, and if they want to access data in motion (such as text messages being sent over the Internet) they need permission for a wiretap.

Under the LAED Act, if law enforcement wants to decrypt a device to access data at rest, they would need to get a court order requiring technical assistance from the service provider in addition to the standard search warrant. The LAED Act would set a comically low bar to require decryption: All the police have to do is prove there are “reasonable grounds to believe” decrypting a device will help in the execution of their search warrant. In other words, if the authorities can prove that it is reasonable to expect that decrypting a device will yield useful information, then a judge must order that the device be decrypted and the service or device provider in question must decrypt their product.

  • Example: Under the LAED Act, police could require Apple to decrypt a suspect’s phone so that it can access the data it holds (presuming it can convince a judge that there are “reasonable grounds to believe” it contains useful information).

To give law enforcement access to data in transit, the LAED Act would add the word “decrypt” right into the technical assistance a service provider must perform if it is served with a wiretap warrant. A wiretap warrant lets law enforcement get access to the content of a message or conversation. This new wording would force any service provider that is served with a wiretap to undo its encryption and present the plaintext content of the messages in question to law enforcement.

  • Example: Under the LAED Act, law enforcement could require WhatsApp to decrypt a conversation so it can read messages exchanged between suspects so long as it can get a wiretap warrant. 

The LAED Act also embeds this “decrypting” language directly into warrants that give police access to the metadata of text messages or emails, known as pen register/tap-and-trace warrants. So police would be able to see who sent the message and who received it. 

This act would effectively require any American company that offers E2EE to redesign its product so that it can be decrypted. 

If there is a service that does not yet have a known decryption method, the LAED Act lets law enforcement agencies issue an “assistance capability directive.” In short, this requires a company to develop (or maintain) a way around encryption. And this can be applied to any company, not just ones that meet the 1 million user threshold

The bill even created a prize competition to incentivize researchers to develop new ways to break secure cryptography. 

How would the LAED Act affect you?

As a Proton user, your data would remain secure. Because we are a Swiss company and store all your data on servers in data centers in Switzerland, ProtonMail is not subject to US laws. Any request from foreign law enforcement needs to be approved by a Swiss authorities. This means that even if this bill became law, we would be able to continue providing end-to-end encryption and zero-access encryption to our users, ensuring their messages stay secure and private.

However, if this bill is passed, the Internet’s overall security would dramatically decrease. Storing any personal data on your smartphone or conducting business online would become much riskier. As long as there is a backdoor in encryption, it is simply a matter of time before hackers discover it and exploit it.

LAED would also have immediate, concrete impacts. Companies might deploy weaker encryption on their products in the US. The ban on end-to-end encryption in the US means that if  WhatsApp and Signal want to keep their encryption, they would likely have to remove their apps from the US versions of the App Store and Google Play. The encryption used on Apple’s iMessage and Android, iOS, macOS, and Windows devices would all have to be redesigned with backdoors.

Given the United States’ role in tech development, this law could also have a profound impact on the use and application of strong encryption around the world. If US companies develop the ability to build backdoors into existing secure encryption systems, that technology will be in high demand worldwide, especially by authoritarian governments. 

The LAED Act must be stopped

This is an explicit attack on encryption that rejects the advice of virtually every security researcher. The problem, as we have stated again and again, is that any encrypted platform with a backdoor is fundamentally insecure. There is no such thing as a backdoor that only lets the good guys in. If there is a vulnerability, eventually, someone will find it and exploit it.

Once these vulnerabilities are built into platforms, the key to exploiting them will become the number one target of every hacker. Keeping these keys secure would be almost impossible. The US government has failed at this task in the past, like when a group known as the Shadow Brokers stole and published CIA hacking tools.

If every communications service has a backdoor, then the entire premise of the Internet as we know it collapses: The Internet and all the knowledge-sharing, self-expression, and economic transactions it enables could not function without encryption. If people are afraid that hackers will read their emails or steal their credit card numbers, the Internet will become useless.

This law is also indicative of a disturbing trend that is sweeping Western democracies. It is simple to trace the “assistance capability directive” in the LAED Act to the “technical assistance notices” in Australia’s Assistance and Access Law, which was inspired by the UK’s Investigatory Powers Act. All of these laws whittle away at their citizens’ rights and the security of the Internet. Seeing such a law passed and enforced in the US could encourage other countries to pass their own version of the LAED Act.

What you can do

The LAED Act is currently sitting in the Committee on the Judiciary. It has not faced a floor vote in either the Senate or the House of Representatives. You can monitor its progress here.

If you are concerned about your privacy, you can also sign up for a free email account with ProtonMail. This account will also give you access to the free version of ProtonVPN, which you can use to encrypt your online browsing.

We also urge everyone to read the bill itself along with other explainers of how the bill will work. The Electronic Frontier Foundation has a helpful analysis of the bill.

If you are an American who is worried about your right to privacy, you should call or write to your representatives in Congress and tell them you are against the LAED Act. By voicing your support for strong encryption, you will be contributing to the fight to keep the Internet secure, private, and free.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

11 comments on “The Lawful Access to Encrypted Data Act wants to ban strong encryption

  • It’s time for all freedom-loving hackers to focus their efforts on compromising and then publishing the private communications of politicians everywhere.

    Reply
  • If the LAED Act is passed and a backdoor to HTTPS is built in, would that compromise your connection to services like Protonmail?

    Reply
    • It would depend on how the law is interpreted and the “backdoor” is implemented. But it certainly highlights the importance of using end-to-end encryption.

      Reply
  • I simply do not understand how people who are supposed to be in charge can be so ill informed. You cannot and should not expect a politician to be an expert at everything they decide on, but they should be an expert at seeking the correct advice.

    Do they not understand that if encryption is reversible then its reversible for everyone who is clever enough , all it is is mathematics!

    Not to mention that all the big companies will do is move out of the US to somewhere that will let them encrypt and the ones that don’t will be replaced with other small ones that do, resulting in damage to the american economy!

    My own country the UK has tried to do this stupid stuff before but it did not pass….. this time. ( Theydo have the great firewall of the UK tho 🙁 )

    Reply
  • Yes, this must be stopped. This act is also illegal in the US as it violates the US Constitution, 4th amendment. The right of the people to feel secure in their papers, houses and effect. This backdoor would comprimise the good guys as well. Without probable cause of a crime being or has been commited. Government cant state that everyone in the country has, is or about to commit a crime therefore this act would be illegal, even if passed. I would hope big tech companies like facebook, google… would just say No. If everyone understand their basic human rights, and in the US their protected rights under the constiution, I doubt this would be happeing, at least without starting a war either on the ground or online. It will also effect the politicians in office as well, so thats something else for them to think about. Their not security professionals, yet there acting like they know more.

    Reply
  • Hope this is applicable to the above……Will Proton consider creating a cellphone texting app, such as Signal……If this was established in Swizterland , it might also be operating free of US influence as a phone app… Cell phone email serves very well. but a secure independent Text service made by proton would be amazing, and badly needed

    Reply
  • I would echo the suggestion made for a Protonmail signal like text message app made by Patrick McCarthy, except I would suggest working with Signal Foundation to develop a Signal clone. The advantage would be a substantially lower development effort for Protonmail. If the clone and original Signal could communicate with each other in a secure fashion, everyone wins as more users are better. If Protonmail could add a feature to work from Protonmail contacts rather than phone contacts, it would provide a great security enhancement. Having the application overseas would make it difficult for government regulation.

    Reply
  • I wrote to my Senator, who is on the Justice Committee, when encrypted backdoor legislation was being considered in committee. She responded to my email. Part of the written response is below:

    Thank you for writing to share your concerns regarding encrypted activity and privacy. I appreciate the time you took to write, and I welcome the opportunity to respond.

    I understand you are opposed to legislation that would require technology companies to create backdoors in their software for law enforcement to access encrypted activity in the course of an investigation.

    I believe we must strike an appropriate balance between personal privacy and public safety. Terrorists and criminals are increasingly using encryption to block law enforcement efforts and endanger Americans. I strongly believe that law enforcement must be allowed to investigate the planning or commission of crimes when necessary. In keeping with the Constitution, law enforcement has always been permitted to seek and obtain warrants from a court where there is probable cause of criminal activity. Therefore, I support solutions that maximize the privacy of customers while still enabling law enforcement to obtain the information it needs to investigate serious crimes.

    As the Ranking Member of the Senate Judiciary Committee, I have taken careful note of your concerns and will keep your views in mind should legislation concerning backdoors to encrypted data and privacy issues come before me in the Senate.

    I intend to write back to both of my State Senators and my district Congressional Representative and send a copy to the ACLU. I hope many other Americans write as well as it is important to change the minds of Congress, and it will take many emails. There are several important points to make:

    1) Backdoor encryption will not deter criminals or terrorists, there are many encrypted email, file sharing, and file storage products outside US jurisdiction as commercial and Free and Open Source Software (FOSS).

    2) The 4th Amendment of the Constitution establishes a RIGHT TO PRIVACY, which REQUIRES a warrant in order in order to breach that privacy. A backdoor cannot be made which responds only to warranted entry. It is inevitable that encryption backdoors would violate innocent citizens constitutional rights to privacy.

    3) A warrant does not permit law enforcement to disseminate personal information, either willfully or negligently outside of law enforcement. The recent ‘Blue Leaks’ demonstrate that State and Federal law enforcement is not able to safeguard the digital personal information they collect.

    Reply