WASHINGTON – Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina) and U.S. Senators Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) today introduced the Lawful Access to Encrypted Data Act, a bill to bolster national security interests and better protect communities across the country by ending the use of “warrant-proof” encrypted technology by terrorists and other bad actors to conceal illicit behavior.
“Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities. In recent history, we have experienced numerous terrorism cases and serious criminal activity where vital information could not be accessed, even after a court order was issued. Unfortunately, tech companies have refused to honor these court orders and assist law enforcement in their investigations. My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks,” said Graham.
“Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity. Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton.
“User privacy and public safety can and should work in tandem. What we have learned is that in the absence of a lawful warrant application process, terrorists, drug traffickers and child predators will exploit encrypted communications to run their operations,” said Blackburn.
The Lawful Access to Encrypted Data Act is a balanced solution that keeps in mind the constitutional rights afforded to all Americans, while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security. The bill would require service providers and device manufacturers to provide assistance to law enforcement when access to encrypted devices or data is necessary – but only after a court issues a warrant, based on probable cause that a crime has occurred, authorizing law enforcement to search and seize the data.
- The debate over encryption and lawful access has raged on, unresolved, for years. The Lawful Access to Encrypted Data Act would bring an end to warrant-proof encryption in devices, platforms, and systems.
- Encryption is vital to securing user communications, data storage, and financial transactions. Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.
- Bad actors exploit warrant-proof encryption to shield dangerous and illegal activity —including terrorism, child sexual abuse, and international drug trafficking — from authorities. Many service providers and device manufacturers continue refusing to cooperate with law enforcement to help recover encrypted data, even when presented with a lawful warrant supported by probable cause. Without that cooperation, law enforcement is left with few choices: attempt to hack into the encrypted data – at the expense of months, if not years, of lost investigative time plus the millions of dollars in funds needed to execute a hack – or abandon investigations altogether. As a result, our national security is at risk, and countless serious crimes committed in communities around the United States go unsolved.
- Unfortunately, there are many examples that underscore the need to reform the current system.
- In December 2019, a member of the Royal Saudi Air Force carried out a terrorist attack at the Pensacola Naval Air Station in Pensacola, Florida, killing three service members and wounding eight. Attorney General Barr and FBI Director Wray recently announced that new evidence shows the terrorist was radicalized by al Qaeda. The FBI uncovered this evidence only after hacking into the phone to recover encrypted data. The terrorist had shot the phone in an attempt to destroy it. The FBI said they “effectively received no help from Apple” and the effort took over four months, costing “large sums of taxpayer dollars.” Remarks, Department of Justice
- During a money laundering investigation involving the Sinaloa Cartel, numerous lawful access issues arose because of the cartel’s use of an end-to-end encrypted app. The targets of the investigation made phone calls and sent messages using WhatsApp to coordinate drug deals and cash drops. The warrant-proof encrypted messages allowed the criminals to conceal their communications and prevent investigators from intercepting entire conversations, even with a court-authorized wiretap order. The inability to access content from WhatsApp prevented law enforcement from identifying suspects and producing seizures of drugs and money.
- In May 2015, there was a terrorist attack Garland, Texas. ISIS later claimed responsibility. Investigators discovered that one of the terrorists in Texas exchanged more than 100 messages with a terrorist overseas using an end-to-end encrypted app. To date, the FBI is still unable to determine the content of these messages.
- Ryan Lin, a computer scientist with extensive knowledge of encryption and hacking, was accused of cyberstalking, threatening and harassing of a number of victims over several years. Lin used various methods to hide his virtual identity, including VPNs, encrypted devices and encrypted overseas email accounts. During an investigation of Lin, he admitted to collecting a large amount of child sexual abuse material (CSAM) – including a dozen images of prepubescent CSAM he sent, unsolicited, to others – but had taken steps to encrypt the illegal material. Law enforcement conducted a costly and risky operation to seize Lin’s phone while he was using it to increase the likelihood of capturing unencrypted messages. Although agents were successful in obtaining Lin’s phone and material located on the phone, almost every device agents seized from Lin’s home was encrypted. Agents never recovered Lin’s CSAM collection on the seized encrypted devices. This limited law enforcement’s ability to identify victims, notify those victims, and present a fuller, more accurate portrayal of Lin’s conduct at sentencing.
- In 2016, FBI agents identified an IP address sharing image and video files of child pornography using the peer-to-peer program FrostWire. After receiving documents pursuant to legal process requests, the FBI identified a target associated with the IP address. In August 2017, FBI obtained a warrant to seize a desktop computer. The target used BitLocker, a full-volume encryption feature included with Microsoft Windows, to encrypt the desktop. Agents were unable to locate evidence of CSAM on the computer and were forced to close the case. The target of the investigation had regular access to children through his employment as a school bus driver.
- In December 2019, the Senate Judiciary Committee held a hearing titled, “Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy.”
Highlights of the Lawful Access to Encrypted Data Act:
- Enables law enforcement to obtain lawful access to encrypted data.
- Once a warrant is obtained, the bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.
- In addition, it allows the Attorney General to issue directives to service providers and device manufacturers to report on their ability to comply with court orders, including timelines for implementation.
- The Attorney General is prohibited from issuing a directive with specific technical steps for implementing the required capabilities.
- Anyone issued a directive may appeal in federal court to change or set aside the directive.
- The Government would be responsible for compensating the recipient of a directive for reasonable costs incurred in complying with the directive.
- Incentivizes technical innovation.
- Directs the Attorney General to create a prize competition to award participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.
- Promotes technical and lawful access training and provides real-time assistance.
- Funds a grant program within the Justice Department’s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.