The issue of encryption is heating up again. The FBI recently announced that it can’t access the contents of a cell phone owned by the San Bernardino shooters. Some are calling for a ban on devices with unbreakable encryption, meaning tech companies would have to either install security vulnerabilities in their products or retain the encryption keys to the devices they sell. State lawmakers in California and New York have introduced bills to that effect.
These bills are an assault on civil liberties, and arguably unconstitutional. But regardless of what one thinks of the underlying issue, this is not a matter that states should be handling on their own. To clarify that this is a federal matter, Reps. Ted Lieu, D.-Calif., and Rep. Blake Farenthold, R.-Texas, have introduced the ENCRYPT Act, which would bar states from passing these laws. It would apply to hardware devices, software, and online services — everything from your smartphone to the protocols protecting your online identity and financial information.
What does this mean for the average American? Quite simply, it means that no state can take away your ability to protect your personal information, whether on your iPhone or when using e-commerce sites like Amazon. For technology firms, it means not having to comply with dozens of different state-based requirements, which in turn reduces costs for consumers.
In short, if you like your encryption you can keep it. At least for now.
Our federalist system has the benefit of serving the American people 50 separate laboratories of democratic experimentation. However, on this particular issue, federalism does not serve the American people well. Imagine trying to comply with 50 separate legal regimes: In one locality encryption may be allowed, while right across state lines, the use of this technology could be entirely prohibited.
For technology firms dealing with the reality of a borderless Internet, state-based mandates on encryption — whether used by smartphones or in software protocols that protect data in transit — will impose major regulatory and economic hardships, producing high degrees of market uncertainty. In addition, the inconsistent legal patchwork that might emerge could have negative consequences for privacy, civil liberties, and national security more broadly. If you think cybersecurity is a major issue now, just wait until encryption is allowed only in certain states and localities. Long, costly, and distracting legal battles would reign.
Lieu’s legislation, while certainly a move in the right direction, is hardly the end of the encryption conversation. It only prevents individual states from passing anti-encryption legislation. The federal government still reserves the right to mandate security vulnerabilities or otherwise force tech firms to change their business models — an approach that was met with favor by FBI director James Comey.
The American people deserve better. But while the broader debate over encryption continues, Congress should take this opportunity to assert its jurisdiction, as well as affirm its support for a strong economy, an empowered citizenry, and unflinching respect for civil liberties.
Op-ed by Ryan Hagemann; originally published in RealClearPolicy