By Daniel Garcia
The pandemic has brought out the worst in people who have decided to take advantage of the situation at hand. Some businesses are marketing products with no scientific backing, claiming they either cure or prevent COVID-19 while others are taking advantage of consumers by mimicking government economic stimulus programs. The Federal Trade Commission is hard at work, issuing warning letters and enforcing penalties for these companies. However, there might be another predator looming in the dark using the pandemic as a cover to pass a new regulation. Senators have recently introduced the Lawful Access to Encrypted Data Act (LAED) of 2020. While the name doesn't sound maniacal, I will cover what the benefits and weaknesses can arise, if this act were to be passed into law.
Small Business Owners and Data Encryption
You might be asking why small business owners should care about data encryption. To start, let’s explain what encryption is; encryption is essentially securing communications from both communicative points of the chain. Encryption is used to secure messages that are sent from one device to another, using apps, such as WhatsApp, but is also used to encrypt data (web traffic, searches, location, files, etc.) on cell phones, laptops, or operating systems. The latter focuses on securing the connection between the device and the individual using the device, usually through a password. Without the password, a hacker will have trouble accessing the underlying information. For example, most modern Apple devices encrypt the data on the cell phone or tablet by default. Encryption protects data even if it is exposed, for example, if a hacker steals a hard drive and does not have the password. If hackers intercept the information or data, encryption prevents them from accessing the underlying information without the key (the same as a password). For example, if parties using WhatsApp have the data intercepted, the data will be digits and letters with no way to read the information without the key. Hackers can attempt to decrypt the data, but it can take a significant amount of time.
Small business owners should be wise to protect the customer's data and personal information from someone attempting to gain unauthorized access as a matter of good business practice. Besides, many small business owners are legally compelled by government-mandated regulations to either encrypt sensitive data or have adequate security methods of protection. Luckily, a lot of software and devices give users the ability to encrypt their data and communications. For example, Microsoft’s BitLocker offers full-disk encryption, and Apple’s FileVault provides the same. Thus, even if the encrypted device is lost or hacked, information such as consumer addresses, names, credit card information, or even social security numbers will be roadblocked and largely futile for any would-be hacker. There is also software to encrypt specific files if you choose not to encrypt the entire hard drive, such as VeraCrypt. If you want to learn more about encryption, especially as a small business owner, you can view this short guide here.
Data encryption effectively protects small business owners, their information, and the information of their users. Data breaches are becoming a normal part of life. Notably, the Target data breach where hackers gained access to over 41 million customers' personal information, including names, phone numbers, credit card numbers, and other sensitive data, and the frequent hacking into celebrity iCloud accounts. Yet, these large companies have strategic security measures in place, security personal on staff, and spend a substantial sum of money on data protection. What about small business owners? How can they be protected if even the mega-companies are exposed?
The Chief Operating Officer of the National Security Institute in Washington D.C. in 2015, when addressing the House of Representatives, stated that 50% of small businesses had been victims of a cyber-attack, and 60% of those attacked go out of business. One benefit of encryption is if a company is a victim of cyber-attack and the data is encrypted, it provides a safeguard to protect the information by requiring the hacker to attempt to decrypt the data, which is a lengthy cause. However, what if the small business reasonably relied on the software/device encryption, protecting the underlying information? For example, even if the data is encrypted, if the hacker has a key (such as a password or a backdoor as explained later), it decrypts the data allowing the hacker access to the underlying information. This idea of having a key leads us to the concern of implementing LAED into law.
LAED's effect is to create a "backdoor" for the "good guys" and giving them the key. It commands companies to create or alter their software, which bypasses the need for the personal key or password to decrypt data, which allows the government to read the underlying information from an encrypted device or communications. Before I talk about LAED specifically, I think it is essential to understand why this has come into play in today's society.
What has prompted Congress to pass this bill?
The Senator's intent can be drawn down to one sentence, to "end warrant-proof encryption in devices, platforms, and systems." What is warrant proof encryption? Warrant proof encryption is the situation where the government armed with a warrant is unable to read the underlying device data because of the device encryption, and the manufacturer will not create a software or malware to retrieve the underlying information. The legislative attempts came to fruition after the 2015 San Bernardino terrorist attack, a mass shooting and attempted bombing in San Bernardino, California. The FBI requested that Apple unlock the shooter's phone so they can read the underlying information since they were unable to access the device's data without a password because of the encryption. The government requested that Apple create new software that enables the FBI to extract the data and view it. It was a high-stake showdown in the court system where the government asked the court to command Apple to comply. Ultimately, the government was able to access the phone with the help of a private party and dropped the lawsuit. Apple refused and continuously refuses, taking a strong stance against creating a "backdoor" for its software encryption to protect its users. However, Apple does provide data from its iCloud servers when requested through court orders, but they refuse to create software to access encrypted data stored on devices. Recently, in the Pensacola case, the FBI only asked for the data on the phones and said Apple could keep the phone and software, but this would still require Apple to create such a "backdoor" software. Apple continued its stance and refused. You can read the article here.
If LAED is passed into law, what does that mean for small business owners?
Two central positions are taken in supporting or not supporting the LAED. The primary motives to pass the bill are to bolster the national security interests by ending the warrant proof encrypted technology from device and software manufacturers to prevent terrorists and bad actors from concealing their illicit behavior, like the San Bernardino shooters. The Act would allow government officials to access the data and prevent technology companies from denying lawful warrant requests. Also, it would reduce the increasing reliance on encryption by said terrorists and bad actors. The Senators argue that the nation's privacy and public safety can work together, and the freedom of privacy will still be protected for law-abiding Americans. Yet, at the same time, it places the criminals on notice that they no longer will be able to use the devices and technology to hide their criminal activity and keep the information unidentifiable even after capture. You can read more about the position of the government and the Senator's statements attempting to pass the bill here.
The position of the government is logical and based upon protecting the safety of the nation, yet it might not be the most effective means of reaching such safety. Are these representatives the best individuals we want to tell us how a decryption mandate should be implemented, or should we allow security experts to influence the decisions? As you've read above, Apple has taken strong opposition to such an idea and outrightly refused to comply with commands from the government. Also, their CEO said, "there is no such thing as a backdoor for the good guys." Facebook executives also have chimed in saying, "It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it." The bill, while backed by good intentions, gives the Justice Department the ability to require tech companies that create encrypted devices, software, or operating systems to decrypt data when requested, which is the "backdoor." Even if impossible, the bill requires companies to redesign the system to be compliant. If the bill passes, many manufacturers will have to rework their devices and software to comply.
Why is a backdoor to encryption bad?
Even if companies could build a backdoor that could only be used for the good guys, it would make the software weaker and susceptible to hackers. The government argues (in the Pensacola case) that Apple can make a one-time-use software and delete it immediately after the data is decrypted and retrieved. However, after creation, such software can be used any number of times on any number of devices. After creation, the software is in the world, and as many of my law professors state, you cannot unring a bell. Weakening encryption by creating the backdoor creates vulnerabilities that the criminals, hackers, and any bad actor will exploit. The President and CEO of the Information Technology Industry Council stated that creating this vulnerability will almost "certainly cause physical and financial harm across our society and our economy."
Why should a small business owner care?
Requiring this encryption will cause more harm to small businesses because those same backdoors meant to protect society are likely to be used by criminals and will inevitably harm society. Given small businesses owners are more susceptible and have more to lose, it's a serious concern, especially since 60% of small businesses that are hacked close their business. Weakening the protection that small businesses owners rely on might cause more harm than good. Large companies continuously have their servers breached by hackers and consumer's data accessed for unlawful purposes. These companies have the funds to install specialized advanced security protection. Small businesses rarely can secure their data in the way Apple, Microsoft, and Target can; they rely on the means available to them, such as FileVault, BitLocker, and VeraCrypt. If LAED passes into law, it is not a matter of if the hackers will pinpoint the vulnerabilities but a matter of when. Whether the costs are the best means to an end, it is for every American to decide by voicing their opinion to their representatives.
Whether or not your small business currently has procedures in place to protect the data of your customers, the FTC has issued articles to help. They have a page for safeguarding your business here, called "Cybersecurity for Small Business," and they also have a guide for companies to protect consumer's personal information, which you can also find here.
Key Take Away
Data encryption protects society's information from the would-be hackers looking for their next victims. Small business owners are the most susceptible since they are not able to implement personalized systems and rely on larger companies for their security. LAED will weaken encryption and possibly end the safety it provides. Even the government has fallen victim to breaches by bad security (notably the Shadow Brokers data breach). Yet, it might be worth the cost, or is it, given the increase in exploitation and weaknesses? That is for you to decide. In the meantime, implement the best security practices you can for your small business to protect your consumer's data. Good luck!
Are you interested in launching or sustaining a pandemic proof small business? Spot issues, take action, stay safe, and thrive in a post Covid-19 world with Legalucy. Learn more at thelucyreport.com
Your interaction with Legalucy and mypandemicproofbusiness.com does not create an attorney client relationship. We provide information for your reference only. Such information should not and cannot be construed as legal advice. For more information, please contact firstname.lastname@example.org.