Encryption debated in Washington

Security experts are debating the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act, proposed legislation to create a uniform national encryption policy. Introduced June 7, 2018, by Reps. Ted Lieu, D-Calif., Mike Bishop, R-Mich., Suzan DelBene, D-Wash., and Jim Jordan, R-Ohio, the bill would enable federal agents to access “back doors” into encrypted data. It would also prevent individual states from enacting separate data access policies. ENCRYPT Act supporters call it a necessary protection against counterterrorism; opponents argue it gives too much power to federal law enforcement.

Rep. Lieu believes the bill has received bipartisan support because it addresses conflicting encryption standards for interstate commerce, economic security and cybersecurity. “I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement,” he stated. “Encryption exists to protect us from bad actors and can’t be weakened without also putting every American in harm’s way.”

Morgan Reed, president of the App Association, added, “On behalf of app developers and tech innovators across the country and around the world, we can attest to the value of encryption technologies to protect data and prevent crimes. The ENCRYPT Act is a necessary step to ensure Americans can use encrypted technologies to protect themselves and their data, regardless of where they live.”

Reed further noted that encryption protects data from criminal access, but the current patchwork of conflicting state policies creates known vulnerabilities that criminals can exploit. “This legislation establishes national guidelines for the interstate use of encrypted technology and protects the data that drives our local economies and the app economy at large,” he said.

Assigning backdoor keys

Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, is concerned by the ENCRYPT Act’s potential to force technology companies to implement security backdoors. “Undoubtedly any backdoor that is introduced will be available to both law enforcement and bad actors alike, collectively making us less secure,” he said.

Anthony James, chief marketing officer at CipherCloud, also voiced concerns about granting federal law enforcement unilateral access to civilians’ encrypted data. “Despite the noble objective of nationally standardized encryption in support of law enforcement and counter-terrorist activity, the use by government of forced disclosure, whether at the state level or the federal level, can move the control of your data into someone else’s hands,” he said. “‘Back doors,’ or special APIs that access your data at various points of being used within applications, can also easily circumvent basic protection such as ‘at rest’ encryption for your databases.”

James said the only way civilians can maintain control over their confidential data is to implement Zero Trust end-to-end encryption. This level of protection would not allow anyone to use a backdoor into a third-party-provided cloud application to access data without a user’s explicit knowledge and approval, he noted, adding that only “your decision to deliver your data encryption keys to the requesting party will expose the data.”

Details, questions remain

Ruston Miles, chief strategy officer, executive vice president and founder of Bluefin, pointed out that the PCI Security Standard Council's P2PE solution protects merchants and cardholders by encrypting card data immediately upon entry. "Around the world, a growing number of merchants, from multinational enterprises to local businesses, are using PCI point-to-point encryption to protect their customers’ cardholder data,” he said.

Miles observed that more than 1,600 data breaches were reported in 2017, and nearly all involved transmitting and processing unencrypted payment card data. Additional incidents went unreported or undiscovered, he said. He described the ENCRYPT Act as a well-intentioned effort to create a national security policy but suggested that numerous details will have to be solved during implementation.

Willy Leichter, vice president of marketing at Virsec, said having a standardized national encryption policy seems like a positive move, but it falls short of solving the basic collision of interests around encryption. “Law enforcement wants broader access, while privacy experts (and most of the security industry) don’t want to neuter the effectiveness of encryption,” he said. “This group seems to understand that encryption is a fundamental building block of most digital business, and weakening it, for whatever reasons, can be disastrous.”

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.