Secure Data Act 2018 - US plans to ban backdoors in devices [again]

In mid-May, members of the US Congress presented a bill called the Secure Data Act 2018 . It will prohibit the government and state structures from requiring manufacturers of technical devices to build backdoors into their products. Coercion can not be achieved even through the courts.

Read more about the bill and the reaction of the community further.


/ photo by Paul Sableman CC

The new bill is the heir to the previous bills of 2014 and 2015, which were supposed to ban the federal agencies of the United States to demand the intentional introduction of vulnerabilities in data protection technology. However, they were never accepted.

This year, members of the US House of Representatives Zo Lofgren, Thomas Massie and others decided to resubmit the Secure Data Act (this time with the designation 2018). This is another attempt to convey the idea that experts in cryptography have been promoting for several decades - there are no secure backdoors.

Members of the House hope that this time they will be able to successfully “promote” the bill. In early May, they even met with members of the Electronic Frontier Foundation (EFF). On it, experts discussed the technical aspects of the implementation of backdoors and the consequences that can result from deliberately weakening the security of electronic devices.

The essence of the bill

As reported in The Register, the bill aims to protect the integrity of encryption systems. It prohibits any government agency from requiring the manufacturer (developer or even the seller) to make changes to the security systems of technical products that will allow access to personal information of users or carry out surveillance.

These products include: software and hardware, as well as other electronic devices that are publicly available.

In addition, the law will prohibit courts from forcing anyone to provide access to data. However, it makes an exception for telecommunication providers. According to the US CALEA (Communications Assistance for Law Enforcement Act) Act of 1994, such organizations are obliged to assist law enforcement agencies and, if necessary, provide them with access to their data networks.

How does the community respond

According to Lofgren, devices with backdoors put users at risk and also harm US companies, since security holes reduce the competitiveness of products on the market. C Lofgren agrees and representatives of the Association of manufacturers of computers and communications ( CCIA ). They emphasize that "user confidence in the security of the Internet plays a key role in its viability as a global space for self-expression and commercial activity."

Ordinary Internet users also advocate the adoption of Secure Data Act 2018, but many of them are convinced that the law "will not pass" this time.

For example, they recall Clipper, a chip with a built-in backdoor for encrypting voice messages. Although then, in 1993, the Clipper Chip did not “catch on.” According to a group of researchers from MIT, AT & T, Microsoft, and other companies, its implementation would put users at risk and lead to higher prices for digital devices.


/ photo by Valerie Everett CC

The reason why the bill can not “pass” is also the fact that it is opposed by influential industry players. In particular, in April this year, Ray Ozzie (Ray Ozzie), a developer from Lotus Notes and a former technical director of Microsoft, himself proposed a system that provides access to encrypted data of mobile devices. He even received a patent for it.

However, Ozzie’s proposal was criticized by other industry participants. According to Robert Graham from the Errata Security information security team, his [Ozzy] initiative does not bring anything new, but offers a solution for long-resolved tasks. Graham argues that experts already know how to create backdoors. Now the main task is to protect these backdoors, and Ozzy does not have her solution.

Matthew Green, a cryptographic specialist and professor at Johns Hopkins University, also criticized Ray Ozzie ’s proposal, as well as Security Specialist and Technical Director of IBM Resilient Bruce Schneier. He said that the introduction of such systems will have devastating consequences in the long term.

Therefore, in the current situation it is difficult to predict whether the proposed bill will be approved. But whatever decision is made, it is unlikely to be unanimous.

What else do we write in the 1cloud corporate blog:

• Everything you need to know about net neutrality principles
• Meltdown and Specter: New Year CPU Vulnerability
• How secure data is in the cloud
• What is an SSL certificate and why buy it?