Encryption, cybersecurity, and technology policies, like the RESTRICT and EARN-IT Acts, with nonexistent tradeoffs address symptoms, not problems, and they do it badly.    

August 28, 2023

Blog Post by Tarah Wheeler and Geoffrey Cain

Encryption is like a baby. It comes with problems, but you wouldn’t solve them with blunt force. If your baby is crying, or your baby is messy, you wouldn’t cut your baby in half (that is, if you’re not a psychopath). You can either protect and raise your baby in its full form or you don’t have one.

The same applies to encryption today. Your devices either maintain their end–to-end encryption or they don’t. You have no safe way of building “end-to-half” encryption, chopping off an arm or a leg or two, of making exceptions for government authorities while guaranteeing your private data is safe from prying eyes.

All this year, U.S. leaders have attempted to pass a wave of misguided online security bills, designed to break that encryption and place Americans in a panopticon of surveillance by default. Lawmakers have embarked on the unadvisable mission of cutting the encryption baby in half. They are demanding one set of legal exceptions that would allow the police to enter your digital home through the backdoor, all while preserving the iron front gates of encryption for everyone else.

The problem is, once everyone else–malicious Chinese hackers, bank fraudsters, and identity thieves–learn how to break through the flimsy backdoor, all that encryption is rendered useless, and the privacy and personal well-being of Americans everywhere is at risk. American lawmakers such as Sen. Lindsay Graham (R-SC) and Sen. Maria Cantwell (D-WA) say that they’re clamping down on threats from child sexual abuse material (CSAM), TikTok, and China’s spy campaigns. But the bills they advocate for–which include the RESTRICT ACT and the EARN-IT Act, along with alarming anti-privacy bills in the UK and France–pull the rug out from the foundations that have made America the global leader in connectivity and innovation. They are a fundamental attack on the internet’s openness and vibrancy, and stand to harm the constitutionally guaranteed due process rights of U.S. citizens. 

The proposed bills all share an alarming characteristic: they turn your phone into a cop in your pocket by switching privacy expectations to “surveillance by default.” The wave of surveillance-by-default bills has swelled since the beginning of 2023. In March 2023, U.S. Senator Mark Warner introduced the RESTRICT Act, a bill that would permit the Secretary of Commerce to ban tech companies from six countries–China, Cuba, Iran, North Korea, Russia and Venezuela–from conducting business in the United States.

This is a sweeping decisionmaking power that bypasses the authority of the Committee on Foreign Investment in the United States (CFIUS), the interagency committee that evaluates foreign investments in the United States to see if they might harm national security. In banning foreign tech companies, the Secretary would not be required to weigh whether an app or service is embedded in the structure of the Internet and needed for its function. If the Secretary of Commerce can declare crucial internet infrastructure irrelevant to U.S. national security, we should be more convinced than we are that the Commerce Department has the capacity to understand and make good recommendations involving technical expertise.

Another similar bill, the EARN IT Act, introduced in April 2023, would mandate that companies hunt for CSAM by spying on the private communications of users. One month later, in May, the state government of Montana passed a law that will ban TikTok within state borders starting on January 1, 2024. Montana lawmakers quickly realized that enforcing the ban would require surveilling every phone in the state by default, a sweep that would be unconstitutional and would ironically hand surveillance capabilities to China.

The same month, the UK Parliament unveiled the Online Safety Bill that would mandate companies enforce a raft of requirements, many of which are technically infeasible, such as age verification for users. The bill also places the burden of proof on companies to show that their servers do not hold CSAM, a provision that will essentially turn these companies into police spies who will rummage through users’ files, regardless of whether they are suspected of the crime of owning child pornography.

Another bill in France will open the door to mass surveillance against people across the world. The bill will demand that all mobile phone makers–including Apple–give French police the right to remotely turn on anyone’s phone camera or microphone. Once the backdoor technology goes live in France, there is nothing stopping other countries from mandating the same police access, or for criminals to exploit the feature. Additionally, Apple may feel compelled to build this backdoor, and other surveillance technology, into the iPhone everywhere else. 

Here’s how we fix all this: stop using bandaids and start solving the problems where they start. American lawmakers are stepping over the most obvious and straightforward answer to these problems: the passage of a National Privacy Standard that will lay out clear rules around encryption and the limits to the harvesting of data. Policymakers keep trying to pass damaging technology policy bills, and they ignore technologists when we say that the thing they want is impossible without destroying something far more valuable: our civil liberties. By enabling surveillance as the default mode on all citizens, we’re creating our own tech panopticon.

Geoffrey Cain is a senior fellow at the Foundation for American Innovation, a tech policy think tank in Washington DC.

Tarah Wheeler is a Senior Fellow for Global Cyber Policy at the Council on Foreign Relations.\

This blog post was originally published on The Council on Foreign Relations‘ website.