You Can't CALEA the Technology Industry

Following in the steps of the Intelligence and Judiciary Committees, the Senate Armed Services Committee recently held a hearing on encryption. The hearing, which included testimony from two prosecutors and one former NSA official, but no privacy experts or representatives from the technology sector, focused on whether technology companies should build backdoors for law enforcement officials to access encrypted devices and communications services.

New York County District Attorney Cyrus R. Vance, Jr., spent a majority of the hearing pitching his widely criticized proposal to outlaw fully encrypted devices, like newer iPhones, by requiring manufacturers to build in vulnerabilities to guarantee law enforcement access to information stored on those devices. He compared this type of requirement to those under the Communications Assistance for Law Enforcement Act (CALEA), which required communications companies to configure their networks so they could be easily wiretapped. 

Vance fails to recognize that the communications industry of 1994, when CALEA passed, and the technology industry of today are wildly different and cannot be fairly compared. CALEA imposed a wiretap requirement on an industry that was already highly regulated and highly standardized. It impacted a limited number of phone companies, all of which used wired landlines. The technology industry, on the other hand, has evolved exponentially in the past twenty years. The internet enabled large companies and startups alike to bring new services and products to consumers, brought us social networking, and started a smartphone revolution, with more radical changes on the horizon like the internet of things and artificial intelligence. Today’s tech industry is incredibly diverse, lightly regulated, and evolves at breakneck speed.

He claims that “[CALEA] has not stifled innovation.” Proving a negative - that CALEA didn’t stifle innovation, for example - is nearly impossible. However, it is worth noting that even though wired telephone lines have evolved a bit in the past twenty years with the advent of broadband services, DLS, and fiber to the curb, that innovation pales in comparison to that of the technology industry. Additionally, today, wireline services are going extinct, as users opt for modern communications technologies. A CALEA-like mandate on those modern technologies would certainly stifle that rapid innovation, where anyone with limited funds can quickly start a tech company and transform an industry. The costs and requirements of developing, testing, and maintaining the mandated software vulnerabilities would be staggering. Small companies and startups could be chilled from entering the marketplace, or could be completely bankrupted by the fallout from an attack on the government-mandated vulnerability that exposes their customers’ information.

To address these kind of concerns under the original CALEA, Congress earmarked $500 million for the communications companies for the costs of modifying their systems. It would be impossible to estimate the cost of implementing a backdoor mandate today, and Congress would likely never do so.

Another way that Vance’s comparison is false is that the privacy-impacts would be significantly different. CALEA only ensured that law enforcement could wiretap phone lines to record people’s conversations, whereas data stored on devices and networks gives law enforcement access to an unparalleled amount of personal information. Devices and networks store and transmit everything needed to paint an intimate picture of someone’s life, like their emails, photos and videos, text messages, browsing history, geolocation information, and much more. Privacy advocates are rightly worried about forcing technology companies to build backdoors that would make this information accessible not only to law enforcement, but to malicious actors too.

In addition to weakening privacy, implementing requirements like encryption backdoors on the technology industry would weaken security. Unlike phone lines, devices and websites are under constant attack. Even government systems are breached regularly, and the threat of cyberattacks is regularly named one of the top threats to national security by the heads of the US Intelligence Community. Strong encryption is our best defense against those threats. Fourteen of the world’s top cryptographers studied whether there was such a thing as a secure backdoor. They concluded that it is technically impossible to build a secure encryption backdoor. Proposals like the one put forth by Vance would not only undermine privacy and devastate the economy, they would put the world’s data in danger.

Ultimately, Vance’s comparison fails when arguing that the government’s regulation of the telephone industry demonstrated the reasonableness of similarly regulating the technology industry. Imposing CALEA-like requirements on the tech industry would be technically infeasible, economically irresponsible, and incredibly dangerous for Americans’ cybersecurity and privacy.