Chinese lawmakers passed anti-terrorism legislation this week compelling Internet service providers to decrypt data — a law Chinese officials said was influenced by a similar fight in the U.S. that’s taken center stage since the the Islamic State-inspired attacks in Paris last month.
The law, passed by China’s parliament Sunday, mandates telecommunications providers and technology firms provide Chinese authorities with “technical means of support” aimed at preventing terrorism, including decrypting data. The legislation steps back from provisions included in an earlier draft that would have forced companies to submit their encryption code to the Chinese government, and store Chinese user data on servers inside China.
“Telecommunications and Internet service providers should provide technical interfaces and technical support and assistance in terms of decryption and other techniques to the public and national security agencies in the lawful conduct of terrorism prevention and investigation,” the law reads according to China’s Xinhua News Agency.
In defense of the law, initially criticized by U.S. companies and President Barack Obama, China said multiple Western nations — including the U.S. — have asked Internet service providers for encryption keys or back doors.
“This rule accords with the actual work need of fighting terrorism and is basically the same as what other major countries in the world do,” Li Shouwei, deputy head of the parliament’s criminal law division under the legislative affairs committee, told reporters after China’s National People’s Congress passed the bill, according to Reuters.
France passed a similar sweeping digital surveillance law in the wake of the Charlie Hebdo attack earlier this year. Lawmakers in the UK are weighing a similar bill in the aftermath of recent Islamic State-inspired attacks in Paris and San Bernardino.
The same fight, waging in the U.S. since companies including Apple announced end-to-end encryption as the default standard last year, accelerated after investigators in the Paris attacks said some of the attackers used encrypted messaging platforms Telegram and WhatsApp to plan their assaults.
Shortly before Congress recessed for the holidays, Senate Intelligence Committee ranking Democrat Dianne Feinstein said she was “going to seek legislation” with Senate Intelligence Committee Chairman Richard Burr to address the issue.
“If there is conspiracy going on over the Internet, that encryption ought to be able to be pierced,” Feinstein said during a hearing earlier this month.
Burr followed up on Feinstein’s comments in a Wall Street Journal op-ed shortly before Christmas, and said “[i]t’s time to update the law.”
“[C]riminals in the U.S. have been using this technology for years to cover their tracks,” Burr wrote. “The time has come for Congress and technology companies to discuss how encryption — encoding messages to protect their content — is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists.”
Burr said technology has “outpaced the law” in terms of encryption, which in many cases can’t be accessed by service providers or device manufacturers — including Apple and Google, the largest in the U.S. — without a user’s password.
“The core statute, the Communications Assistance for Law Enforcement Act, was enacted in 1994, more than a decade before the iPhone existed,” Burr wrote. “The law requires telecommunications carriers — for instance, phone companies — to build into their equipment the capability for law enforcement to intercept communications in real time.”
“The problem is that it doesn’t apply to other providers of electronic communications, including those supporting encrypted applications.”
Burr pointed to recent testimony from FBI Director James Comey on the attempted shooting in Garland, Texas as one example. During the same hearing with Feinstein, Comey revealed the FBI has been unable to access 109 messages one of the would-be shooters exchanged with a terrorist overseas the morning of the planned attack in May.
“We have no idea what he said, because those messages were encrypted,” Comey told the committee. “And to this day, I can’t tell you what he said with that terrorist 109 times the morning of that attack. That is a big problem. We have to grapple with it.”
Burr said the cover afforded by encryption extends beyond violent crime, and pointed to the recent issue highlighted by Massachusetts Democratic Sen. Elizabeth Warren of banks using the encrypted messaging platform Symphony to hide illegal transactions from regulators.
In response to pressure from Warren and Wall Street regulators, banks agreed to store decryption keys with independent third parties, and Symphony agreed to keep communication logs for seven years.
Burr said the solution should serve as an example the public and private sectors can work together on a compromise, and criticized Apple specifically for marketing on its inability “to respond to government warrants for the extraction of this data from devices,” in the company’s own words.
During his testimony Comey similarly said he didn’t believe the issue was a technical one for companies, but the result of “business models” designed “so that they say, ‘even if we want to, we can’t.’”
“The question of whether the answer is compelling them to do that by legislation is one that I can’t answer sitting here.” Comey said.
Burr said Apple’s recent refusal to unlock a suspect’s iPhone in a New York criminal case is further evidence it’s time for Congress to act.
“It would seem to me that daily financial flows shouldn’t command more attention than terrorist or criminal communications, yet here we are,” Burr wrote. “I and other lawmakers in Washington would like to work with America’s leading tech companies to solve this problem, but we fear they may balk.”
“When Apple objected to a recent court order in a New York criminal case requiring it to unlock an iPhone running iOS 7 — an operating system that Apple can unlock — the company refused, arguing: ‘This is a matter for Congress to decide.’ On that point, Apple and I agree.”