Proposed Lawful Access to Encrypted Data Act (LAEDA) to Allow Lawful Access to End-to-End Encryption

Recently, a group of Republican senators introduced legislation known as the Lawful Access to Encrypted Data Act (LAEDA). This legislation aims to provide law enforcement with so-called “lawful access” to encrypted data in transit. Currently, this data cannot be accessed by law enforcement without putting the security of the data at risk as it is stored on and travels through the Internet.

What Information Can Currently be Accessed by Law Enforcement?

The coronavirus pandemic has exposed the inadequacy of encryption methods used by Zoom and other video software. In response to complaints of “Zoom bombing” and misleading advertising about Zoom’s encryption measures, Zoom recently announced a plan to offer end-to-end encryption (E2EE) that would, among other things, satisfy certain HIPAA Security Rule standards, and prevent Zoom from spying on doctor-patient video conferences. E2EE allows data, including messages, to remain encrypted while in transit. With E2EE, only a data recipient (person to whom a message is sent) can decrypt the data and therefore be able to read it. 

Do you have an effective HIPAA compliance program?

Find out now by completing the HIPAA compliance checklist.

Zoom was initially reluctant to offer E2EE to “free” users, worrying that offering the service to people without a paid account would diminish Zoom’s ability to “work together with the FBI, with local law enforcement” in cases where law enforcement demanded access to encryption information. Public outcry from privacy advocates was swift, leading Zoom to update its plan to extend the E2EE option to unpaid users.

This move did not sit well with Republican senators Marsha Blackburn, Lindsey Graham, and Tom Cotton, who, in response, introduced the Lawful Access to Encrypted Data Act (LAEDA). This legislation would require tech companies like Zoom to build “lawful access” mechanisms into their encryption. Lawful access mechanisms would allow law enforcement access to data in transit (also called “data in motion”) as well as data at rest.

End-to end encryption of data in transit means that data is encrypted when it is transmitted between a device and a server (a service provider such as a telephone operator) and then the data is encrypted again to be transmitted to the recipient(s). Only the sender and the recipient(s) can read the data. Therefore, currently, service providers cannot turn over decrypted data to law enforcement (e.g., the police or the FBI) even if the providers wanted to, since the providers themselves cannot decrypt the information. 

End-to-end encryption-at-rest means that data is encrypted in the storage media on servers when not being used. Therefore, the data cannot be accessed or decrypted by the cloud. For example, Apple currently doesn’t have copies of iPhone decryption keys, so when the FBI demands it unlock a seized phone, it genuinely cannot comply.

What Can Law Enforcement Access Data Under LAEDA?

The LAEDA bill would compel tech companies to build “lawful access” mechanisms into both E2EE data in transit as well as E2EE data at rest. These mechanisms would allow law enforcement to access E2EE data in transit from anywhere on the Internet, as well as E2EE data at rest. Under LAEDA, law enforcement can access encrypted data as soon as a court issues a warrant authorizing the access.

One of the bill’s authors, Senator Graham, has described the Lawful Access to Encrypted Data Act as “a balanced solution that keeps in mind the constitutional rights afforded to all Americans, while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security.” 

The bill specifies that service providers and device manufacturers who are required to comply with LAEDA be “compensated with government funding for reasonable costs incurred in compliance.” The Lawful Access to Encrypted Data Act also establishes a prize competition to award participants who “create a lawful access solution in an encrypted environment, while maximizing privacy and security.”

Deputy Director Evan Greer, of the privacy advocacy group Fight for the Future, has expressed concerns. In a recent interview, he stated, “Politicians who don’t understand how technology works need to stop introducing legislation like this. It’s embarrassing at this point. Encryption protects our hospitals, airports, and the water treatment facilities our children drink from. Security experts have warned over and over again that weakening encryption or installing back doors will make everyone less safe, not more safe. Full stop. Lawmakers need to reject the Lawful Access to Encrypted Data Act…..[This bill] would enable mass government surveillance while doing nothing to make [anyone any safer.]” 

See How It Works