[Congressional Record Volume 161, Number 3 (Thursday, January 8, 2015)]
[Senate]
[Pages S101-S108]
From the Congressional Record Online through the Government Printing Office [www.gpo.gov]


          STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS

[...]


      By Mr. WYDEN:
  S. 135. A bill to prohibit Federal agencies from mandating the 
deployment of vulnerabilities in data security technologies; to the 
Committee on Commerce, Science, and Transportation.
  Mr. WYDEN. Mr. President, today I am reintroducing legislation that I 
introduced at the end of the last Congress along with a bipartisan 
group of colleagues in the House of Representatives. We call it the 
Secure Data Act, because it is designed to help protect the sensitive 
data of American citizens

[[Page S103]]

and businesses from being compromised by foreign hackers. And I believe 
it will also help protect and promote the American digital economy at a 
time when growing the number of family-wage jobs is so important both 
to Oregonians and to people across the country.
  Hardly a week goes by without a new report of a massive data theft by 
computer hackers, often involving trade secrets, consumers' financial 
information, or sensitive government records. It is well known that the 
best defense against these attacks is strong data encryption and more 
secure technology systems.
  This is why I and many others have been troubled by suggestions from 
senior officials that computer hardware and software manufacturers 
should be required to intentionally create security holes, often 
referred to as back doors, to enable the government to access data on 
every American's cell phone and computer, even if that data is 
protected by strong encryption. The problem with this proposal is that 
there is no such thing as a magic key that can only be used by good 
people for worthwhile reasons. There is only strong security or weak 
security.
  Americans are rightly demanding stronger security for their personal 
data. And requiring companies to build back doors into their products 
would mean deliberately creating weaknesses that hackers and 
unscrupulous foreign governments could exploit. The results of this 
approach can be seen elsewhere--in 2005, citizens of Greece discovered 
that dozens of their senior government officials' phones had been under 
surveillance for nearly a year. The eavesdropper was never identified, 
but the vulnerability was--it was built-in wiretapping features 
intended to be accessible only to government agencies following a legal 
process.
  Mandating back doors would also remove incentives for innovation. If 
you're required to build a wall with a hole in it, you aren't going to 
invest a lot of money in developing better locks. And these mandates 
could also do enormous harm to U.S. technology companies that are 
working hard to overcome the damage that has been done by recklessly 
broad surveillance policies and years of deceptive statements by senior 
government officials.
  This legislation would expressly prohibit the government from 
mandating that tech companies build security weaknesses into their 
products. I would note that similar legislation from Representatives 
Massie and Lofgren passed the House of Representatives on a bipartisan 
vote of 293-123 in June of last year. So, I look forward to working 
with colleagues on a bipartisan basis to advance this bill, and to 
receiving feedback and input from colleagues and interested 
stakeholders, so that it can be further improved as it moves forward.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                 S. 135

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Secure Data Act of 2015''.

     SEC. 2. PROHIBITION ON DATA SECURITY VULNERABILITY MANDATES.

       (a) In General.--Except as provided in subsection (b), no 
     agency may mandate that a manufacturer, developer, or seller 
     of covered products design or alter the security functions in 
     its product or service to allow the surveillance of any user 
     of such product or service, or to allow the physical search 
     of such product, by any agency.
       (b) Exception.--Subsection (a) shall not apply to mandates 
     authorized under the Communications Assistance for Law 
     Enforcement Act (47 U.S.C. 1001 et seq.).
       (c) Definitions.--In this section--
       (1) the term ``agency'' has the meaning given the term in 
     section 3502 of title 44, United States Code; and
       (2) the term ``covered product'' means any computer 
     hardware, computer software, or electronic device that is 
     made available to the general public.
                                 ______