Lawmakers introduced the Secure Data Act on Friday: a new bill that prevents law enforcement and surveillance agencies from forcing companies to insert backdoor entrances into their products and services. The bill was presented by U.S. Representatives Zoe Lofgren (D-Calif.) and Thomas Massie (R-Ky.) along with four co-sponsors.
“U.S. intelligence and law enforcement agencies have requested, required, and even sought court orders against individuals and companies to build a ‘backdoor,’ weakening secure encryption in their product or service to assist in electronic surveillance,” Lofgren said in a press release.
Why is this bill needed? A prime example would be the fiasco between the FBI and Apple over an iPhone 5C. The FBI recovered the phone from one of the shooters in the San Bernardino attack at the end of 2015, but couldn’t unlock the device. After turning to the National Security Agency to break into the phone with no success, the FBI then demanded Apple to create a version of iOS to install on the device packing a backdoor. Agents could then bypass the phone’s 10-try PIN entry screen.
Apple refused.
“In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession,” Apple CEO Tim Cook said. “The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
The battle grew ugly, incorporating a court order against Apple under the All Writs Act of 1789 and pressure by the U.S. Department of Justice. Apple offered four methods to access the iPhone 5C data, but the FBI instead chose to request that Apple develop malware for this one specific device, granting access to the phone’s contents.
Eventually the government dropped its court case against Apple after the FBI hired hackers to create a tool that exploited a zero-day vulnerability in iOS. With the tables turned, Apple wanted to know how the FBI cracked the iPhone. But even lawsuits filed under the Freedom of Information Act couldn’t persuade federal judge Tanya Chutkan to release the details, citing possible theft of the tool and a target on the third-party hackers.
“FBI officials did not pursue available technical solutions to access Farook’s iPhone because the FBI preferred obtaining a precedent-setting court judgement compelling Apple to weaken their product encryption,” Lofgren said on Friday. “It is well-documented that encryption backdoors put the data security of every person and business using the products or services in question at risk.”
Lofgren also said that backdoors created for law enforcement and intelligence surveillance are “vulnerabilities available for hackers to exploit.” He points to the Recording eXpress call recording suite developed by Nice Systems, which included an undocumented backdoor account. This hidden entry granted hackers full access to the system and listened to recorded calls without authorization.