On June 23, 2020, Senators Lindsay Graham, Tom Cotton, and Marsha Blackburn introduced the Lawful Access to Encrypted Data Act, one of the most expansive anti-encryption bills in recent history. The Bill would amend federal surveillance laws to require large tech companies to decrypt data at rest or in motion when demanded by a federal or state court, and to build backdoors into any encrypted communications protocol that would allow the government to gain lawful access to such communications. This decryption requirement would apply to any device manufacturer that has sold 1,000,000 units of consumer electronic devices, or an RCS, or ECS provider that has 1,000,000 annual subscribers (for data at rest) or 1,000,000 monthly active users (for data in motion) in any calendar year in 2016 or thereafter. Companies that meet this threshold would have one year from the passage of the law to build these decryption capabilities.
Importantly, the Bill appears to strip federal and state court judges of any discretion to reject a decryption order, requiring that a judge issue an order whenever the government establishes that it has “reasonable grounds to believe that the assistance required by the order will aid in the execution of the warrant.” The Bill allows the government to demand that a provider filter the information authorized to be searched; decrypt, decode, or otherwise provide information in an intelligible format; and to provide secure technical support as necessary to ensure the effective execution of the warrant. These decryption authorities could be used in both national security and traditional criminal cases and apply to search warrants seeking stored communication as well as real-time surveillance orders (i.e., data at rest and data in motion).
For smaller companies that do not reach the above-described threshold, the Bill grants the Attorney General authority to issue “Assistance Capability Directives” to any manufacturer, ECS, or RCS that has been served with at least five warrants for data access over the prior 12 months to build those same decryption capabilities within 180 days of the receipt of the directive.
To accomplish all of these changes, the bill amends the Communications Assistance for Law Enforcement Act (CALEA) and strikes the language that has traditionally been read to prevent the government from requiring covered carriers to decrypt communications. It also amends the Wiretap Act, the Pen Register and Trap and Trace Provisions, and FISA to strike all of the language that has traditionally allowed providers to resist orders where the order substantially interferes with their provision of services. In its place, the bill adds language specifically requiring decryption of communications. The one limitation contained in the bill is a provision that prohibits the Attorney General from specifying any particular technical means by which the provider is required to implement the required capabilities.
For providers, the bill provides a mechanism for a provider to challenge these Assistance Capability Directives, but only where the directive: (1) does not meet the requirements of the law; (2) is technically impossible to implement; or (3) is otherwise unlawful. This approach seems to be borrowed from the challenge mechanism under Section 702 of the Foreign Intelligence Surveillance Act and requires decisions to be issued on a fairly speedy schedule. It also provides immunity from liability when a provider takes action to implement accessibility orders, and limited cost reimbursement provisions.
Finally, the Bill would also establish a cash prize competition of up to $50 million dollars to incentivize the development of decryption methods–essentially a “bug bounty” program for decryption efforts–to encourage individuals and entities not associated with tech companies to develop “technological solutions that provide law enforcement access to encrypted data pursuant to legal process.”
Although the Bill is unlikely to pass given mixed public sentiment and a divided Congress, it has received the strong support of the Attorney General and showcases the broad hostility of the current administration toward encryption and its corresponding disregard for the significant security issues created by mandatory decryption schemes.