Recently, I came across the following hackernews thread An even worse anti-encryption bill than EARN IT (stanford.edu). TL;DR The US Senate Judiciary & Intelligence Committee proposed a bill that would force industries to add a backdoor in their software/hardware products, accessible by law enforcement. Honestly, I didn't even open this link, like I do with many others from hackernews, either I was lazy or didn't think it was important. Later, I think I came across the same article somewhere else and decided to give it a read. Man, was I not expecting that. I might be over-reacting here, but that was my reaction.
What is LAED?
LAED stands for Lawful Access to Encrypted Data, is a bill from US Sentate Judiciary & Intelligence Committee, which basically wants plain text access to both stored & in transit data (of course, with a court order). Isn't the government already doing that? like in Apple vs FBI encryption dispute. Well, organizations could deny such an order citing technical impossibility, like in case of End-2-End-Encryption, without the private keys from users, the data can't be decrypted, provided the implementation doesn't already have a backdoor. Now, with LAED, organizations will be forced to redesign their system, so unless the users themselves encrypted the data (on top of existing one), organization couldn't say No!.
Who does LAED apply to?
LAED applies to,
- For data stored on a device - local/remote
- Manufacturers that sold 1 million devices or more
- Softwares that have 1 million users or more
2. For data in transit
- Services that have 1 million monthly users or more
What are the implications?
LAED is such a sweeping bill that the providers simply can't say no. Even if they challenge that in a court of law and the court decides to uphold the order, they have to comply or, face contempt of court. If a provider says that they don't have the capability to decrypt the data, then they have to redesign or build one. Most importantly, this breaks the foundation of users's security & privacy altogether.
The government wants this tool thinking that they could prevent evil in the society (they are the good guys, right?) and only they should be able to access it, something like a Universal Golden Key. But, in reality there is no such thing as middle ground encryption, which is highly impossible, rather its a slippery slope. Either, you can have an encryption scheme that isn't decryptable without a key, or, you can have an encryption scheme with a backdoor, which is exploitable by anyone. Backdoors like these can be exploited foreign actors, both nation states & criminals against the very people that the government wants to protect.
Another major implication is that, this bill concerns US providers, but this also becomes an incentive (or persuation from the US) for other nations to enact similar laws forcing their providers to do the same. So, simply switching providers will only delay the inevitable.
Another unknown part of the equation is, what does this mean for FLOSS? will those projects be forced to build a backdoor as well? whatabout the forks of those project? I mean, where does this rabbit hole lead? Would the government simply bring a ban on civilian encryption and categorize anyone that does so a criminal?
I view these as an attack on user's right to privacy & security. Government always comes with messed up stuff like these in the pretext preventing crimes. We can't trust them either, because they have lost their credibility after WikiLeaks's US diplomatic cable & Vault 7 leaks, Edward Snowden's NSA leaks. But, even after these, we still see government as the hero & whistleblowers as traitors or enemies against humanity.
This has to change, or else, we will lose every right we have, like breaking bricks from a wall. We need to raise our voice against these kind of invasive bills & let the law makers know that we aren't as dumb as they think we are.
I read a wonderful comment on a hackernews thread,
Say if you & your friends are seated in a restaurant. You all have nothing to hide, so a camera & mic are placed there, streaming your conversation for the world to see & listen. Would you be okay with that because you have nothing to hide?.
Whether you have anything to hide or not, doesn't mean entire world has to know.
Another justification for your right to privacy,
I don't care about free speech, because I have nothing to say.