The United States Congress is considering a law that would destroy online privacy as we know it and essentially outlaw the most secure American tech products, such as Signal. The law would ban end-to-end encryption for large companies and require developers to break their own products at the request of law enforcement agencies.
The bill is called the Lawful Access to Encrypted Data (LAED) Act, proposed by three Republican Senators on June 23.
The stated purpose of the law is to give police and security agencies the ability to quickly access information contained on a suspect’s encrypted device. The LAED Act targets all data that is encrypted, both in transit and at rest. So not only would a tech company be forced to help the FBI break into a smartphone seized from a suspect, but it would also have to build a way to let officials monitor end-to-end encrypted communications, including whoever the suspect is talking to.
This bill reopens the door to the kind of government surveillance that led us to create Proton back in 2014. Make no mistake: This bill puts the privacy and security of everyone at risk, not only suspected criminals. If a back door exists, no one is safe.
What is the Lawful Access to Encrypted Data Act?
This law would require any American company with more than 1 million users in the US to be able to decrypt its users’ data and present it to law enforcement. It would apply to operating systems, messaging apps, videoconference apps, email providers, and cloud storage apps, as well as any device that has at least 1 GB of memory.
This bill also attacks the encryption system that keeps the entire Internet secure. The LAED Act would require a backdoor to HTTPS, the system that secures almost all websites with TLS encryption, so that law enforcement could access encrypted metadata. Without HTTPS, attackers can trace your online activity from site to site. If HTTPS were to be broken it would fundamentally alter how the Internet worked.
How would the LAED Act work?
The LAED Act would supplement the ways law enforcement agencies get permission to access private information. Currently, if authorities want to access data at rest (such as a photo on your computer) they need a search warrant, and if they want to access data in motion (such as text messages being sent over the Internet) they need permission for a wiretap.
Under the LAED Act, if law enforcement wants to decrypt a device to access data at rest, they would need to get a court order requiring technical assistance from the service provider in addition to the standard search warrant. The LAED Act would set a comically low bar to require decryption: All the police have to do is prove there are “reasonable grounds to believe” decrypting a device will help in the execution of their search warrant. In other words, if the authorities can prove that it is reasonable to expect that decrypting a device will yield useful information, then a judge must order that the device be decrypted and the service or device provider in question must decrypt their product.
- Example: Under the LAED Act, police could require Apple to decrypt a suspect’s phone so that it can access the data it holds (presuming it can convince a judge that there are “reasonable grounds to believe” it contains useful information).
To give law enforcement access to data in transit, the LAED Act would add the word “decrypt” right into the technical assistance a service provider must perform if it is served with a wiretap warrant. A wiretap warrant lets law enforcement get access to the content of a message or conversation. This new wording would force any service provider that is served with a wiretap to undo its encryption and present the plaintext content of the messages in question to law enforcement.
- Example: Under the LAED Act, law enforcement could require WhatsApp to decrypt a conversation so it can read messages exchanged between suspects so long as it can get a wiretap warrant.
The LAED Act also embeds this “decrypting” language directly into warrants that give police access to the metadata of text messages or emails, known as pen register/tap-and-trace warrants. So police would be able to see who sent the message and who received it.
This act would effectively require any American company that offers E2EE to redesign its product so that it can be decrypted.
If there is a service that does not yet have a known decryption method, the LAED Act lets law enforcement agencies issue an “assistance capability directive.” In short, this requires a company to develop (or maintain) a way around encryption. And this can be applied to any company, not just ones that meet the 1 million user threshold.
The bill even created a prize competition to incentivize researchers to develop new ways to break secure cryptography.
How would the LAED Act affect you?
As a Proton user, your data would remain secure. Because we are a Swiss company and store all your data on servers in data centers in Switzerland, ProtonMail is not subject to US laws. Any request from foreign law enforcement needs to be approved by a Swiss authorities. This means that even if this bill became law, we would be able to continue providing end-to-end encryption and zero-access encryption to our users, ensuring their messages stay secure and private.
However, if this bill is passed, the Internet’s overall security would dramatically decrease. Storing any personal data on your smartphone or conducting business online would become much riskier. As long as there is a backdoor in encryption, it is simply a matter of time before hackers discover it and exploit it.
LAED would also have immediate, concrete impacts. Companies might deploy weaker encryption on their products in the US. The ban on end-to-end encryption in the US means that if WhatsApp and Signal want to keep their encryption, they would likely have to remove their apps from the US versions of the App Store and Google Play. The encryption used on Apple’s iMessage and Android, iOS, macOS, and Windows devices would all have to be redesigned with backdoors.
Given the United States’ role in tech development, this law could also have a profound impact on the use and application of strong encryption around the world. If US companies develop the ability to build backdoors into existing secure encryption systems, that technology will be in high demand worldwide, especially by authoritarian governments.
The LAED Act must be stopped
This is an explicit attack on encryption that rejects the advice of virtually every security researcher. The problem, as we have stated again and again, is that any encrypted platform with a backdoor is fundamentally insecure. There is no such thing as a backdoor that only lets the good guys in. If there is a vulnerability, eventually, someone will find it and exploit it.
Once these vulnerabilities are built into platforms, the key to exploiting them will become the number one target of every hacker. Keeping these keys secure would be almost impossible. The US government has failed at this task in the past, like when a group known as the Shadow Brokers stole and published CIA hacking tools.
If every communications service has a backdoor, then the entire premise of the Internet as we know it collapses: The Internet and all the knowledge-sharing, self-expression, and economic transactions it enables could not function without encryption. If people are afraid that hackers will read their emails or steal their credit card numbers, the Internet will become useless.
This law is also indicative of a disturbing trend that is sweeping Western democracies. It is simple to trace the “assistance capability directive” in the LAED Act to the “technical assistance notices” in Australia’s Assistance and Access Law, which was inspired by the UK’s Investigatory Powers Act. All of these laws whittle away at their citizens’ rights and the security of the Internet. Seeing such a law passed and enforced in the US could encourage other countries to pass their own version of the LAED Act.
What you can do
The LAED Act is currently sitting in the Committee on the Judiciary. It has not faced a floor vote in either the Senate or the House of Representatives. You can monitor its progress here.
If you are concerned about your privacy, you can also sign up for a free email account with ProtonMail. This account will also give you access to the free version of ProtonVPN, which you can use to encrypt your online browsing.
We also urge everyone to read the bill itself along with other explainers of how the bill will work. The Electronic Frontier Foundation has a helpful analysis of the bill.
If you are an American who is worried about your right to privacy, you should call or write to your representatives in Congress and tell them you are against the LAED Act. By voicing your support for strong encryption, you will be contributing to the fight to keep the Internet secure, private, and free.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.