Three US Senators have ignored the Law of Unintended Consequences by proposing new legislation which would end-to-end encryption as we know it today.

Senate Judiciary Committee Chairman Lindsey Graham, Senator Tom Cotton and Senator Marsha Blackburn have introduced the Lawful Access to Encrypted Data Act, which intends to end the use of ‘warrant-proof’ encryption technologies.

“Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity,” Cotton said. “Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet.”

“My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations,” Graham said. “Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks.”

The pursuit of criminals and terrorists should be considered a top priority by any Government, but any action taken needs to be balanced against the wider implications for society. In this case, should encryption be weakened to assist authorities, while simultaneously opening millions of US citizens to the dangers of the dark web?

Another way of looking at this is banning cars because they can be used as getaway vehicles. Yes, the police would be able to catch bank robbers, but the overwhelming majority, who use cars for their intended purpose, are being punished as a consequence. This example is an inconvenience to the general public, but the dilution of encryption technology would be much more serious.

While the Senators are correct, bad actors do use encryption features to hide illegal activities, the general public do not. Encryption provides peace of mind that communications services are safe and effectively unhackable.

Should encryption technologies be weakened, there could be consequences:

The Bill itself does not make any promises to deliver an alternative, simply suggesting the Attorney General would award those who create alternatives with a ‘prize’, however it explicitly states device manufacturers and service providers would have to assist authorities once a warrant has been obtained.

The issue is that it is almost impossible for device manufacturers and service providers to comply with this order while current end-to-end encryption technologies are in place.

End-to-end encryption works through the creation of encryption keys, which are effectively incredibly complex mathematical equations. If Person A sends a message to Person B, Person B’s public encryption key is used to lock the message from Person A, but the message can only be opened by a private encryption key. Only the recipient of the message has access to this key meaning no-one aside from Person B can assess the content of the message. Not even the company providing the messaging service can break these protections.

There are other ways to encrypt the message. In some examples, the content of the communication is only encrypted while in transit, with the encryption keys being held by the service provider or a third-party intermediary, as opposed to only by the recipient of the message. This process would allow Governments to access the content of the messages, however it also exposes the keys to nefarious mercenaries on the dark web, many of whom do not need much of an invitation to hack innocent individuals.

Although the Senators have good intentions for this Bill, it is incredibly short-sighted, ill-informed and defies logic.

At a time where hackers are at their most active, the US Government is attempting to weaken online security. This should be viewed as a red flag to the dark web, with virtual bulls pawing the ground and huffing aggressively in preparation.

Source: Statista

*This number could increase as more incidents are discovered/announced in time

As you can see from the table above, cybersecurity incidents are increasing, and these are only the ones which have been reported to the authorities or known to anyone. IBM has estimated that it actually takes 279 days on average to detect a data breach, with containment taking 314 days, costing the organisation $3.9 million. These estimates are not necessarily directly relevant to end-to-end encryption, phishing scams are still the most common, but it does demonstrate the importance of heightened cybersecurity.

In terms of the number of incidents, we suspect the actual numbers are higher, and should encryption security features be diluted, we believe the frequency of incidents would dramatically increase.

What is worth noting is this is not the first time a Government has attempted to weaken encryption. In 2017, the misguided, woefully informed and out-of-touch UK Home Secretary Amber Rudd launched a quest against end-to-end encryption, even suggesting the general public would not need such security features. Rudd failed in this irresponsible mission, and thus the UK general public is safer as a result.

Weakening end-to-end encryption technologies is effectively introducing a vulnerability to some of the world’s most popular communications services. Wherever there is a chink in the armour, there will be those searching for it. Irrelevant as to how well it is hidden or defended, someone will eventually find it intentionally or by mistake.