Well everybody, today is Independence Day!! I wish each and everyone all of you there an incredibly Happy and safe 4th of July weekend!!! So back to the topic at hand. If you were to see the news headlines, it seems like that COVID19 has not disappeared yet, on the contrary, it has been spiking up.
Because of this, there is now talk of introducing more mobile apps into the American public, so that people can be tracked and identified if they have had any sort of interaction with people who have tested positive for COVID19.
In fact, I did write a blog posting about this some time ago, and while this idea is great in concept, there are still a number of key security issues that are related to it, especially when it comes to data privacy rights.
This of course has been very much a hot topic button this year, especially with the GDPR and the CCPA. But now, there is a proposed piece of new legislation that is starting to emerge. This has specifically to do with Encryption, and it is known as the “Lawful Access to Encrypted Data Act”.
It has been proposed by three Senators, who are as follows:
*Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina); U.S. Senator;
*US Senator Tom Cotton (R-Arkansas);
*US Senator and Marsha Blackburn (R-Tennessee).
More details about this introduced piece of legislation can been seen here at this link:
Encryption has been a hot button topic as of late, especially when it comes to the FBI and Apple. There have been numerous instances in which the FBI has to literally tried to force Apple into giving up its trade secrets with regards to “jailbreaking” their iOS system.
But Apple refused to do this, because they did not want the data privacy of their customers to be affected in any way shape or form. But because of this, the FBI was delayed into their investigation process, as they wrangled with the court systems to get a search warrant.
So, the result of this proposed legislation is to try to strike a balance between protecting the data privacy rights, as well as giving the law enforcement agencies, especially those of the Secret Service and the FBI the authority they need in order to collect both digital and forensics based evidence so that they conduct their investigations in a timely manner.
One of the guiding principles here is that vendors of technological devices, especially those of wireless devices, would have to be much cooperative when it comes to working with law enforcement officials. But the caveat here is that the respective law enforcement agency must first have a valid court order, only based upon probable cause.
Here are some of the catalysts that have led to the establishment of this particular bill:
*As mentioned, wireless vendors have been notorious in only letting their customers access the Encrypted data that they store onto their devices. As a result, this has literally tied the hands of law enforcement, even when the vendors know themselves that a criminal activity has or either is currently taking place.
*Because of this lack of cooperation from the vendors, law enforcement is extremely limited as to what they can and cannot do. For example, they themselves can attempt to hack into the wireless device themselves which can easily take months, or in extreme cases, even years. But this can cost millions of dollars, at the expense of the taxpayer.
Or the other option is to simply close up the case, leaving the suspect to go free, and launch even more devastating Cyberattacks.
Now, here are some of the major highlights of the bill:
*Once the law enforcement agencies have obtained a valid search warrant, then the vendor would be required to assist law enforcement officials at all “reasonable” levels in order to ensure that enough digital evidence can be collected in order to a subsequent arrest warrant.
*Both the United States Attorney General and the State level Attorney General will have greater powers in making sure that vendors are compliant with court orders, and also in confirming when the Encrypted data will be made available to the law enforcement agents. Interestingly enough, the Federal Government would also be required to financially compensate the victim in case they suffer a sustained period of downtime as they address the requirements of the respective court order.
*It would also introduce a “Bug Bounty” program. For example, if the vendor is deemed to taking a slow time purposely in cooperating with law enforcement officials, then can launch a public program inviting ethical hackers to break into the device in question. If anybody is successful, they will then of course get a great financial reward. But the trick here is that the ethical hackers who are involved in doing this must abide by protecting the data privacy of the owner of the wireless device. If they violate this, then he or she could face criminal prosecution.
*Much more money will be further allocated to the Justice Department’s National Domestic Communications Assistance Center (aka “NDCAC”) so much more specialized and advanced training can be offered to agents of the Secret Service and the FBI. Also, a dedicated call center, operating 24 X 7 X 365 will be created so that anonymous tips can be reported in as well.
My Thoughts On This
Honestly, I think this is a good idea, in terms of the bill. There needs to be a balance that is struck in between both the privacy rights of Americans and letting law enforcement to do their job in tracking down Cyberattacker suspects.
But at the same time, the vendors must be cooperative so that these culprits can be apprehended. In the end, the vendor does not have to give all of its secret sauces, but at least just enough so that law enforcement can do their jobs.
I am in complete support for this bill for it to pass and become legislation. If it not passed, this just gives the Cyberattacker to launch more threat variants via their wireless devices because they know now that it will take law enforcement forever to bring them to justice. During this time, the perpetrator can quite easily flee to another country, and avoid being caught all together.
But, what I would like to see is that a set of accountability standards are also established, to make sure that the vendors are only required not to give out anymore to law enforcement than they are absolutely required to do so. After all, if too much information is given out, this can not only be detrimental to the vendor in question, but also to the Personal Identifiable Information (PII) records of their customers as well.
Finally, it seems like that most pieces of Cybersecurity legislation go to one extreme or another, like with both the CCPA and the GDPR. We need to have some sort of middle ground here, and this bill would serve just exactly that.