Come Join Our Fireside Chat With Rep. Zoe Lofgren To Discuss Internet Regulations: From SOPA To Now... And Looking Forward

from the don't-miss-it dept

As you've probably seen, for the last couple of weeks we've been running our Techdirt Greenhouse series of posts looking back on the fight against SOPA from those who were there at the time, including one this morning from from Rep. Zoe Lofgren, who was a key player in Congress stopping SOPA. Tomorrow at 1pm PT / 4pm ET, we'll be having Rep. Lofgren join us for a "fireside chat" looking back at what happened with SOPA a decade ago, but more importantly looking at what's happening today with internet regulations and where things are likely to go. If you want to attend live, please register to sign up. Like many of our recent events, we're using the Remo platform, which has the feeling of an actual in-person event, even while it's virtual. You'll be able to talk to other people at your "table" as well as move around to other tables to talk to other attendees as well. During the talk with Lofgren, you'll be able to submit your own questions as well. So please join us tomorrow...

Filed Under: competition, copyright, internet policy, privacy, section 230, sopa, zoe lofgren

The Next Techdirt Greenhouse And Event: Remembering The SOPA Fight

from the one-decade-later dept

Register now for our online event featuring Rep. Zoe Lofgren »

Next week is the ten year anniversary of the famed "Internet Blackout Day" in which internet users, together with activists, and some internet companies, spoke up together and told Congress that passing the Stop Online Piracy Act (and the Senate Companion, the Protect IP Act), would do tremendous damage to the internet. Lots of organizations are hosting events and doing other things to commemorate that momentous occasion -- but also trying to channel that spirit towards building a better internet.

And that includes us at Techdirt. We're going to be running a new Techdirt Greenhouse series with reflections from a bunch of people who were involved in the original fight, both looking back at what happened ten years ago, but also what's happened in the intervening decade, and what it means for the internet, for activism, for tech policy, and for users of the internet going forward.

On top of that, we're going to be hosting a live (virtual) event on January 26th at 1pm PT, with a fireside chat between myself, and one of the main heroes of the stop SOPA movement: Rep. Zoe Lofgren. The event will also include breakout discussions and a chance to network and connect with others interested in tech policy and the future of the internet. Register now to join the event!

Filed Under: greenhouse, pipa, sopa, zoe lofgren

Rep. Zoe Lofgren Recognizes The Nuances And Complexities Of Regulating Internet Companies

from the there-are-so-many-tradeoffs dept

It's taken as given among many politicians (and much of the media) that "something must be done" about "big tech" companies. The public seems a lot less concerned about it all. Unfortunately, as we've noted repeatedly, many in the government are focused on specific regulatory levers that seem incredibly unlikely to work (and which have a high likelihood of making any of the problems discussed even worse). A big one is antitrust. We keep hearing grandstanding politicians talk about how they need to break up "big tech" without any of them getting into how that will solve any particular issue. In the House, Rep. David Cicilline has been the poster child of this approach -- insisting that antitrust is the answer, but refusing to actually explore the nuances and tradeoffs of that approach.

One of the big problems with the antitrust approach is that the traditional remedies of antitrust do very little to fix the issues that people insist come about due to the big internet companies. Big fines seem mostly meaningless to them (though they will shift some behavior). And breaking them up really doesn't do very much at all. The value of the internet is the ability to communicate with everyone, and you can't create "BabyBooks" for Facebook in the same way it was possible to create "BabyBells" out of AT&T in the 1980s (and, we can all see how well that worked in the long run).

Some of us have suggested alternative approaches that might lead to more real competition and better end-user control over data. Over the last few months, I have been having more discussions with various different government officials about exploring some of these alternative remedies, but I have been less and less sure if any government official would ever actually pay attention.

So it's actually nice to see Rep. Zoe Lofgren, responding to Cicilline's giant confusing mess of a "Digital Markets" report by posting her own thoughts on better ways to think about regulating the internet. I don't agree with all of Lofgren's points, but it's one of the most sane and reasonable documents I've seen coming from a government official in a long, long time regarding issues on regulating internet companies. Unlike so many, it acknowledges the nuances and trade-offs inherent to this discussion, and the lack of any silver bullet fix.

The more difficult questions are in deciding how and when to regulate single-firm conduct, which the report often describes as a platform exercising its “gatekeeper power” over who uses it and under what terms. Our laws should promote open platform ecosystems as a central objective, but this is far from a simple matter in practice, because many of a digital platform’s assertions of gatekeeping power can be good faith efforts to serve user interests – such as privacy, security, and/or quality of service – and may protect the long-term health of the larger ecosystem. In certain instances, platforms may need to exclude certain parties or content outright – for example, moderating hate speech and the advertisement of fraudulent or harmful products – to ensure that a platform otherwise remains open and vibrant for other speakers and transactions.

A platform company could also abuse gatekeeping power – to promote its own products and services, to lock in users from leaving for other platforms, and so on. The challenge for Congress is to craft a legal framework to allow regulators to distinguish abusive gatekeeping from legitimate efforts to serve user interests and prevent ecosystems from breaking down. These sorts of cases will often resist easy categorizations and generalized answers, as regulators are forced to consider how deeply to intervene in the details of a platform’s operations, such as its precise terms of services or particular design aspects of its user interface.

The document also talks about privacy issues, and whether or not antitrust is truly the tool to deal with that.

The Report contends that privacy abuses by online platforms are symptoms of inadequate competition. This can be true in some cases, and in those instances competition policy could play a useful supporting role to give consumers more privacy-protective alternatives in the marketplace. But it is a mistake to treat privacy largely as a competitive problem with competition-focused remedies. Abusive data practices are found not only in large platforms but also from many smaller companies, as the latter are more likely to buy and sell sensitive user data to data brokers and other third parties. Even in more competitive digital markets, users often do not have enough visibility or understanding into how their personal data is being collected, used, and disseminated, and face insurmountable barriers to defending their own privacy interests, through either individual or collective action.

Effective privacy and data regulations can and will promote competition, both by restricting abusive business models that otherwise can trigger a race to the bottom, and by giving users more practical control over who holds their data and how it is used. The Report’s call for greater authority to promote data portability and interoperability is important. However, as with other privacy measures, it’s unlikely this can be accomplished through the ex post enforcement of generalized antitrust laws. Instead, it requires more specialized, expert, and prospective privacy regulation.

I still worry that we run into the same issues with most privacy legislative proposals as we run into with antitrust remedies: those putting in place the rules will misunderstand the nature of the problem and the remedy, and create results that only favor the largest companies who can comply with silly rules that don't always make sense.

But taking approaches that (1) lead to more interoperability, (2) more end-user control, and (3) greater transparency have always seemed to be the approach that might eventually have a real impact. It's good to see that Lofgren seems to be thinking along similar lines.

And, she also notes that many other private interests are trying to use these discussions to get their own favored results, and Congress should be wary of that. She doesn't name them, but Hollywood, the telcos, and the legacy newspaper business (not to mention big lumbering old tech companies like Oracle and IBM) have been actively trying to co-opt this process in a punitive way against companies which effectively out-innovated them. This gets far too little discussion, but it's great to see Lofgren point out the risk:

In all of this – competition, privacy, and or any other fundamental objective in platform regulation – we must be vigilant against regulatory and legislative agendas being co-opted to serve narrower interests. As I noted above, the rise of digital platforms unleashed a flood of new competition for earlier incumbents in many other industries. While these incumbents can have legitimate complaints about their treatment within platform ecosystems, this does not justify special regulatory protections that would lock down such ecosystems, favor conventional business models against digitally-native content and services, or attempt to restore markets to their pre-digital states.

Exactly.

Filed Under: antitrust, competition, david cicilline, gatekeepers, privacy, tradeoffs, zoe lofgren

Wyden-Backed Bill Would Make It Illegal For Government To Obtain Location Data Without A Warrant

from the broken-and-profitable dept

We've covered for a while how consumer location data is consistently abused by telecom providers, app makers, stalkers, debt collectors, people pretending to be law enforcement, and pretty much any idiot with a nickel and a dream.

Of course that also extends to government agencies like the IRS, CBP, and ICE, which have increasingly been buying access to your daily location habits so they can skirt around pesky warrants. The government still needs a warrant if it targets individuals, but nothing stops the government from hoovering up vast swaths of movement data en masse. Until now.

A new bill backed by Senators Ron Wyden and Rand Paul, and Reps. Jerry Nadler and Zoe Lofgren, attempts to put this loophole to bed permanently. Bluntly dubbed the Fourth Amendment Is Not For Sale Act (see: summary or full text), the law would ban law enforcement agencies from buying data from controversial facial recognition firm Clearview AI, as well as force agencies to obtain a warrant before sourcing location data from brokers. In a statement, Wyden said the bill would close loopholes in both the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act that allows governments to buy consumer location data without a warrant:

"Doing business online doesn’t amount to giving the government permission to track your every movement or rifle through the most personal details of your life,” Wyden said. “There’s no reason information scavenged by data brokers should be treated differently than the same data held by your phone company or email provider. This bill closes that legal loophole and ensures that the government can’t use its credit card to end-run the Fourth Amendment."

In other words, government agencies will need to obtain a court order to gather information from third party data brokers instead of just buying it like a private company. The law comes on the heels of a steady parade of reporting showcasing widespread abuse of consumer data by numerous government agencies:

"In February last year, The Wall Street Journal reported that a company called Venntel was selling location data harvested from apps to Immigration and Customs Enforcement and Border Protection. Motherboard then found more sales to CBP, and reported on which specific apps provide data to Venntel. Motherboard also found how multiple software development kits (SDKs)—the bundles of code that collect location data—gathered information from apps marketed towards Muslims. This included Predicio, which was connected to Venntel’s data supply chain. Google banned Predicio from the Play Store after Motherboard's reporting. Google and Apple also banned another SDK called X-Mode from its app stores after one of Motherboard’s investigations."

While the bill has the support of a bipartisan coalition of lawmakers and many consumer and digital activism groups, getting the proposal through Congress will, of course, be a steep uphill climb. When you have a large coalition of powerful cross-industry lobbyists and numerous government agencies all happily crowded around a very broken trough, any incentive for genuine reform remains, well, muted at best.

Filed Under: 4th amendment, buying data, data, data brokers, government, jerry nadler, rand paul, ron wyden, zoe lofgren

A Mess In The House: Dirty Pool As Rep. Schiff Inserts Loophole To Help The FBI Spy On You

from the doesn't-the-4th-amendment-matter dept

As the debate continues over the renewal of some Patriot Act provisions for NSA surveillance techniques, the House now has a chance to correct a failure by the Senate, by one measly vote, to require a warrant for the FBI to go sifting through your internet histories that the NSA scooped up along the way. The intelligence community refuses to reveal how often this is done, but Senator Wyden is indicating that it's a lot more than you think -- and he's been right pretty much every time he's made those suggestions.

It's now up to the House, and while Rep. Lofgren had a version of the warrant requirement amendment, some petty political squabbling from Democratic leadership threatened to quash it -- mainly by Rep. Adam Schiff inserting a massive loophole to allow for more warrantless surveillance. Earlier on Tuesday it was reported that, after a long weekend of haggling, it appeared that a vote will be allowed on Lofgren's Amendment and that the language had been cleared up to the point that even Senator Wyden backed it:

“After extensive bicameral, bipartisan deliberations, there will be a vote to include a final significant reform to Section 215 [of the USA Patriot Act] that protects Americans’ civil liberties,” Lofgren, a Democrat of California, said. “Without this prohibition, intelligence officials can potentially have access to information such as our personal health, religious practices, and political views without a warrant,” she added.

[...]

The Lofgren-Davidson amendment will require the FBI to obtain a warrant even if there’s only a possibility that the data it seeks is tied to a U.S. person. If the government wishes to access the IP addresses of everyone who has visited a particular website, it could not do so without a warrant unless it can “guarantee” that no U.S. persons will be identified.

Wyden's support was seen as critical, because if he felt that Schiff had torpedoed the Amendment he wouldn't support the amendment. So the original reports saying that he was on board, was a good sign. He even put out a detailed statement in support.

Then, the full language came out, and Schiff appeared to torpedo the whole deal anyway by telling the NY Times that the amendment didn't really do anything anyway:

But in his own statement, Mr. Schiff put forward a narrower emphasis. Stressing the continued need to investigate foreign threats, he described the compromise as banning the use of such orders "to seek to obtain" an American's internet information.

Soon after Wyden pulled his support of the bill, realizing that Schiff was making a ridiculous interpretation to allow for more spying on American's internet browsing habits:

“The House Intelligence Committee chairman’s assertion that the Lofgren-Davidson amendment does not fully protect Americans from warrantless collection flatly contradicts the intent of Wyden-Daines, and my understanding of the amendment agreed to earlier today. It is now clear that there is no agreement with the House Intelligence Committee to enact true protections for Americans’ rights against dragnet collection of online activity, which is why I must oppose this amendment, along with the underlying bill, and urge the House to vote on the original Wyden-Daines amendment,” Wyden said.

Again, however, I remain perplexed about Schiff trying to water this down. Remember, Schiff was literally the House manager of the Trump impeachment campaign, and more than anyone, Schiff has a front row seat to how this President has politicized all aspects of government at his disposal. You would think that's a good enough reason to pass a bill that would protect American citizens from being spied on by the FBI without a warrant (as, I should mention, the Constitution requires). Why would that be at all controversial? I get that Schiff comes from a background where he has traditionally had a kneejerk support for greater law enforcement and intelligence powers -- but given what he knows about this administration, it's crazy that he wouldn't want to restrict those powers in the hands of someone who still regularly seems to threaten his political opponents, including Schiff.

Of course, as all of this was happening, the President himself urged his supporters in Congress to vote against the bill anyway, so who the hell knows what's going on any more anyway. What is clear is that Congress had a real chance to make sure the FBI had to live under the 4th Amendment, and it appears that it has failed to do so, so far.

Filed Under: adam schiff, backdoor searches, fbi, fisa, nsa, patriot act, ron wyden, surveillance, zoe lofgren

House Democrats Have The Power To Protect Our Web Surfing From Warrantless FBI Searching; Instead, They're Pointing Fingers

from the not-a-good-look dept

You would think that House Democrat leaders like Speaker Pelosi and Reps. Adam Schiff and Jerry Nadler, who helped lead the impeachment effort against President Trump, would leap at the chance to stop Trump and the FBI from conducting warrantless searches of Americans' internet browsing habits. Instead, they seem to be supporting it and are trying to scapegoat Rep. Zoe Lofgren -- who is trying to safeguard our internet surfing -- because she's dared to push for a fix to the law. At issue is the FISA renewal bill, in which Congress has decided to take the FBI's "backdoor searches" out of the backdoor and moved them around the front: explicitly allowing the FBI to go trawling through internet/browsing/search histories collected without a warrant by the NSA.

As we've discussed, over in the Senate, Senator Ron Wyden and Steve Daines pushed for a pretty straightforward amendment to say that these searches should require a warrant (yes, the 4th Amendment alone should require that, but... ) and their amendment fell just one vote short. So even though significantly more than half of the Senate voted to require a warrant, the bill that passed out of the Senate does not require a warrant. The ball then moved to the House side, and you'd think that leadership there should just put in a similar amendment -- and, indeed, Rep. Lofgren had one ready to go. This shouldn't be a surprise. Lofgren has fought to end backdoor searches for years.

However, a story in Politico argued that Lofgren's Amendment somehow threatened to "blow up" a well-orchestrated Congressional move to make sure the FBI could keep spying without a warrant. Dell Cameron, over at Gizmodo, breaks down just how ridiculous this whole story is, and how it appears that it's actually Speaker Pelosi and Rep. Schiff who want to let the FBI warrantless searches continue, and they've strong-armed Rep. Nadler into supporting this position (Nadler, who is terrible on copyright issues, usually is pretty good on civil liberties), while trying to pin any "blame" on Lofgren.

Much of the story covers shenanigans to box out Lofgren back in February when she sought to add her version of the Wyden/Daines Amendment:

A timeline of the negotiations shared with Gizmodo, which was compiled from notes and communication logs immediately after the story ran, shows that Lofgren and her allies had been pressing the Judiciary Committee about amendments to Nadler’s bill as early as February 10.

Requests to see the text were repeatedly denied, the sources said. The same FISA reformers reportedly reached out to the committee on February 12, saying that, if adopted in the form of amendments, parts of Lofgren’s bill would ensure that Nadler’s FISA re-authorization push was even more bipartisan. The Judiciary Committee reportedly turned over a draft copy of the bill the following day, but warned that “substantial revisions” were already in the works. About a week later, the updated text was still not available.

According to this timeline, the authors of the Lofgren-Davidson amendment would not see the final text of the bill until Friday, February 21. Minus the weekend, that gave staffers roughly 24 hours to work alongside legislative counsel to draft the amendment in a way that comported with Nadler’s bill. The Lofgren-Davidson amendment was finally handed over to the Judiciary Committee that Tuesday, a full 24 hours before the markup hearing, meeting the committee’s requirements.

And when Lofgren met that deadline... Nadler cancelled the markup, effectively blocking the amendment from a vote. And this wasn't for lack of interest:

One Republican staffer, who has direct knowledge of the negotiations, told Gizmodo that Nadler had effectively burned the Democrats by cancelling the markup hearing. The appetite for reform was certainly there, they said. Not only did the Democrat’s progressive wing and the libertarian House Freedom Caucasus support it, but many other Republicans, who’ve never shown interest in privacy reform, would have campaigned on curtailing the FBI’s authority.

It would have been useful in an election year, the staffer said, if only because President Trump has so frequently and publicly accused the FBI of breaking the law.

And so now that the bill is back on the House's plate, Nadler is the official roadblock to getting this amendment in, though it sounds like Pelosi and Schiff are putting on the pressure from behind the scenes.

Two Democratic aides said that the pressure on Nadler to kill the Lofgren-Davidson amendment was coming “from all sides,” and that cancelling the February hearing was probably not his own decision. Both staffers stopped short of fingering Pelosi and Schiff, but said that “House leaders,” including “other committee chairs,” were likely involved in that effort.

Questioning what it all means for the future of the Democratic party, which has long portrayed itself as the defender of Americans’ civil liberties, one Democratic aide said: “We need to look at ourselves and say, ‘Why on earth is the Senate the body that is producing the more progressive government privacy legislation and not the House?’ Why is that? I think the answer [requires] a long look in the mirror.”

Lofgren and others are now pushing to get their amendment back on the agenda, and it sure sounds like Schiff and Pelosi are trying to stop it, with Nadler -- whose public statements seem to indicate his support, but his actions show otherwise -- the key to actually making a decision.

I still find it bizarre that this amendment is even remotely controversial. First, it's just making it clear that the 4th Amendment applies. Second, if bad shit is happening, the FBI can still get a warrant. Third, both Democrats (stop Trump from abusing his powers) and Republicans (stop the deep state from surveilling Americans) have ready-made stories to explain their votes.

So what's the damn holdup?

Filed Under: adam schiff, backdoor searches, browser history, fbi, fisa, fisa renewal, jerry nadler, nancy pelosi, nsa, patriot act, surveillance, zoe lofgren

The Race Is On To Create A Federal Online Privacy Law: First Entry From Reps. Eshoo & Lofgren

from the lots-of-thought,-but-little-chance dept

There's a race on to have Congress introduce a comprehensive federal privacy law. As you may (or may not?) know, the US really doesn't have a law protecting our privacy. To date, any privacy protections have been a mixture of other laws, from the defanged 4th Amendment protecting (in theory more than reality) against government intrusion into our private lives, to the FTC's consumer protection mandates. However, many people recognize that this probably isn't doing enough to protect privacy in this age -- and with the EU taking the lead with the GDPR, it's become clear that the US needs to put at least something in place. So far, Congress has failed to come up with much, and there's a bit of a ticking time bomb in the form of California's hugely problematic CCPA law, which is set to go into effect on January 1st, despite a long list of problems with the law.

So much of the discussion has been around whether or not a new federal law will come into play that pre-empts various states trying to create their own set of privacy laws. Reps. Anna Eshoo and Zoe Lofgren have now announced their entrant into the discussion with their Online Privacy Act. It is quite long and detailed, coming in at 132 pages which I recommend reading. They've also created a one page summary of the bill.

The bill is ambitious, detailed and thoughtful... but also has some problems and is not likely to become law. There's a lot in the bill, but it will create a brand new federal agency, staffed with 1,600 employees, to "enforce users' privacy rights." Along those lines, it establishes what those rights are -- with much of it pulling from concepts currently found in the GDPR (i.e., rights to access, correct, delete, and download information companies hold about you). There are some opt-in requirements for using your data for things like machine learning (what seems like a response to the kerfuffle over IBM using Flickr images to train facial recognition AI).

The law would also put a bunch of obligations on companies regarding data minimization and also force the companies to be more upfront about what they need particular data for. It would also limit the sale or transfer of personal information. It also criminalizes "doxxing" which it defines as disclosing "personal information with intent to cause harm." If this became law, that section might run into some 1st Amendment problems.

Part of the "thoughtfulness" of the bill is that Eshoo and Lofgren have clearly heard some of the concerns that were laid out about the GDPR or other approaches to privacy. It includes an exemption for small businesses and then also includes a "ramp up" phase for companies that cross out of the small business realm. I'm always a bit concerned about "small business exemptions" because they lead to weird incentives and not always great outcomes. From a purely efficient standpoint, I tend to think that if the law is written in a manner that requires exempting certain classes of companies, it tends to highlight problems with the overall law itself, though there are some exceptions to that rule.

Importantly, the bill also calls out that it should have no impact on journalism, and acts of journalism (reporting on people) should never be seen as violating the law. That could lead to some conflicting situations within the bill, but hopefully the blanket exemption on journalism would protect journalistic activity.

That said, there are still problems with the bill. The biggest one is that it does not appear to pre-empt state laws, which is kind of the whole reason for introducing a federal law in the first place. I know that some privacy activists have pushed back against state pre-emption, but that by itself makes the bill somewhat useless, because California's law and other state privacy laws would more or less wipe this law off the books in terms of effectiveness. I understand the thinking that some have put forth that letting states craft their own privacy laws encourages more experimentation and thoughtfulness, but it makes little sense on an internet that crosses all borders. Complying with all state privacy laws is going to be a huge mess -- and therefore it seems like a federal law must include pre-emption of state laws for it to be valid.

The bill also includes a private right of action, which is seen by many to be problematic -- as it's going to enable the rise of what are, in effect, privacy trolls. Again, there are reasonable concerns about if it's only left up to government enforcement that enforcement will be lax, or will suffer from regulatory capture, but leaving open a broad private right of action could have significant problematic consequences. The bill also seems clearly designed to set up certain non-profits to file a bunch of class action privacy lawsuits:

NONPROFIT COLLECTIVE REPRESENTATION.— An individual shall have the right to appoint a nonprofit body, organization, or association which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest, and is active in the field of the protection of individual rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in this Act on his or her behalf.

I worry a bit about the incentive structure there as well. I certainly have faith that groups like EFF would use this particular power wisely and in pursuit of actually protecting our privacy, but there are a number of non-profits out there that would likely take this to ridiculous extremes and immediately go after lots of companies for potentially dubious reasons.

Most reports on this acknowledge that this bill is unlikely to become law. It does not currently have bipartisan support, and the creation of an entirely new government agency, the lack of state pre-emption, and the private right of action have been seen as non-starters for many.

All that said, we're likely to see a bunch of privacy bills showing up in Congress soon, so it's worth exploring the details of this one. And, of course, it should be noted that both Lofgren and Eshoo represent parts of Silicon Valley, which might make you assume that the bill is "friendly" to tech companies. Looking through the details, though, and that would be a mistake. While I'm sure some will criticize the bill for not going far enough, this would create a pretty massive overhaul in how online privacy is handled in the US today and would, in effect, create an equivalent of the GDPR. That might still "benefit" large companies in making it more difficult for others and new entrants to compete (even with the small business exemption), but this bill doesn't do any favors for internet companies.

I do still worry that most of our attempts to regulate privacy fail because we often misunderstand what privacy means, and I do worry that the approach in this bill, as with the GDPR and the CCPA, suggests a static, rather than dynamic internet world, in which the focus is on "limiting" things, rather than recognizing how they might be better enabled by putting more control in the hands of the end users. So much of the structure of this and other bills seems based on the idea that there are central entities "controlling" our data -- which may be the case today, but need not necessarily be the case in the future.

Filed Under: anna eshoo, competition, doxxing, gdpr, online privacy act, privacy, private right of action, state pre-emption, states, zoe lofgren

Bill Introduced To Prevent Government Agencies From Demanding Encryption Backdoors

from the pushing-back-from-the-top-down dept

The FBI continues its push for a solution to its "going dark" problem. Joined by the DOJ, agency head Christopher Wray has suggested the only way forward is a legislative or judicial fix, gesturing vaguely to the thousands of locked phones the FBI has gathered. It's a disingenuous push, considering the tools available to the agency to crack locked devices and obtain the apparently juicy evidence hidden inside.

The FBI hasn't been honest in its efforts or its portrayal of the problem. Questions put to the FBI about its internal efforts to crack locked devices are still unanswered. The only "new" development isn't all that new: Ray Ozzie's "key escrow" proposal may tweak a few details but it's not that far removed in intent from the Clipper Chip that kicked off the first Crypto War. It's nothing more than another way to make device security worse, with the only beneficiary being the government.

The FBI's disingenuousness has not gone unnoticed. Efforts have been made over the last half-decade to push legislators towards mandating government access, but no one has been willing to give the FBI what it wants if it means making encryption less useful. A new bill [PDF], introduced by Zoe Lofgren, Thomas Massie, Ted Poe, Jerry Nadler, Ted Lieu, and Matt Gaetz would codify this resistance to government-mandated backdoors.

The two-page bill has sweeping safeguards that uphold security both for developers and users. As the bill says, “no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”

This bill would protect companies that make encrypted mobile phones, tablets, desktop and laptop computers, as well as developers of popular software for sending end-to-end encrypted messages, including Signal and WhatsApp, from being forced to alter their products in a way that would weaken the encryption. The bill also forbids the government from seeking a court order that would mandate such alterations. The lone exception is for wiretapping standards required under the 1994 Communications for Law Enforcement Act (CALEA), which itself specifically permits providers to offer end-to-end encryption of their services.

The Secure Data Act shouldn't be needed but the FBI and DOJ have forced the hand of legislators. Rather than take multiple hints dropped by the previous administration, the agencies have only increased the volume of their anti-encryption rhetoric in recent months. Maybe the agencies felt they'd have the ear of the current administration and Congressional majority, but investigations involving the president and his staff have pretty much killed any "law and order" leanings the party normally retains. This bill may see widespread bipartisan support simply because it appears to be sticking it to the Deep State. Whatever. We'll take it. Hopefully, this makes a short and direct trip to the Oval Office for a signature.

Filed Under: backdoors, congress, doj, encryption, fbi, going dark, jerry nadler, matt gaetz, responsible encryption, secure data act, security, ted lieu, ted poe, thomas massie, zoe lofgren