Remember how ZOOM was pushed to finally implement end-to-end encryption? It might seem like ages ago with everything that is going on. A pandemic which costs many lives and is far from under control. Millions working from home and staying connected with virtual meetings. Yeah, we want encryption to ensure some privacy. And companies want encryption to make sure their information is safe. Makes sense, right? The LAED Act disagrees and wants none of that!
In case you have not studied LAED, let me give you a quick summary. LAED stands for Lawful Access to Encrypted Data Act, a bill introduced on June 23rd in the United States, which is nothing short of a frontal attack on encryption in any form. When passed, this bill can force tech providers to create a backdoor that allows law enforcement and intelligence agencies to access encrypted data. So, this means that devices, operating systems, apps, servers, protocols, routers, websites, and portals which offer encryption must have a backdoor!
That backdoor must be made available to law enforcement agencies and the bill introduces a framework of regulations, as if with that the risks of abuse of a backdoor would be eliminated. The term Lawful in the title makes the bill even sound less harmful than it actually is. But the subtitle should already make you very weary of this bill and its impact. ‘To improve the ability of law enforcement agencies to access encrypted data, and for other purposes’. What is meant by ‘other purposes’ is covered in the LAED Act in for example sections 501 and 502, which amend the Foreign Intelligence Surveillance Act. Indeed, the same FISA under which spying on Angela Merkel was lawful and the notorious PRISM program was approved and funded.
There are a couple of things you must understand about having a backdoor that can override encryption. Most encryption technology is based on public and private keys. The public keys are shared with others, for example the people you chat with, and the private keys stay on your device. Without your private key, the encrypted data can not be deciphered, even when the other party has the public key. When for example 2 people have an encrypted chat, the chat app uses the private keys on the device/app and the public keys are shared. Only with the right combination of private and public keys, this chat can be deciphered.
The LAED Act will force all tech providers and manufacturers to create a backdoor to override this encryption. Don’t think of this like a magical switch that turns off encryption from the moment anyone would flip that switch. That is not the intended backdoor because it would not enable law enforcement and intelligence agencies to decipher communication in the past. What the LAED Act will enforce is the implementation of ‘Shadow Keys’.
Shadow Keys mean nothing less than that the private keys will no longer be private. Instead, they will be shared with your tech providers so when they get subpoenaed, they can handover the private keys. Those private keys will enable law enforcement and intelligence agencies to unlock encrypted devices, read chats, listen in to calls, basically everything that happens on your devices and systems. And not just yours, also everyone you interacted with.
Shadow Keys introduce severe risks for your privacy and security. Remember getting nervous about the last data breach of your favorite platform where all your account data was out on the digital crime streets, aka the Dark Web? Wait until that data breach includes your private keys… And haven’t we been pushing everyone to use encrypted connections like VPN and HTTPS to make sure cybercriminals are not able to tap into your bank accounts? Shadow keys throw that overboard and you will not even notice the difference.
Supporters of the LAED Act will argue that this bill only authorizes controlled access to encrypted information and “when you do no wrong you will have nothing to hide”, right? In reality, we have learned that the agencies involved aren’t the best keepers of their secrets so that’s already a big concern. And the Snowden Files made crystal clear you don’t have to do anything wrong to be spied upon and have your personal information stored and shared. It also made clear that ‘lawful’ is open for interpretation…
With or without Shadow Keys, having a backdoor is a honey pot for cybercriminals. It is nothing short of putting up a neon sign saying ‘come and get me’. And they will! And the same cybercriminals and the terrorists will simply continue to use non-U.S. made technology to keep their malicious communication hidden from U.S. law enforcement and intelligence agencies. So, who is this bill really targeting? All of us!
Besides the fact that the LAED Act takes the crown of bad ideas, there is a lot of irony which simply can not be ignored. The United States of America, which accuses Huawei of building backdoors into their technology and bans their technology over these unsubstantiated claims, is now in the process of forcing tech providers to build backdoors into their technology… One can only wonder if the U.S. will force Huawei to build backdoors in their tech under the LAED Act! Backdoors which under the LAED Act can lawfully be used to spy on foreign subjects, which ironically is also what the U.S. is accusing Huawei of without providing a single shred of evidence. Maybe all the talks about the alleged backdoors in Huawei technology inspired these Senators to draft the LAED Act…?
Irony aside, there is another thing that bothers me about the LAED Act. I am a proud citizen of the European Union and that means that I have ZERO influence on what the U.S. considers to be lawful. A country that steps back from binding treaties like there is no tomorrow and uses every leverage it can create to serve its political agenda should be trusted to determine when it is lawful to access my private data and yours? I’d be very worried about that if I where you!