Barr's Motives, Encryption and Protecting Children; DOJ 230 Workshop Review, Part III
from the don't-break-the-internet dept
In Part I of this series on the Department of Justice’s February 19 workshop, “Section 230 — Nurturing Innovation or Fostering Unaccountability?” (archived video and agenda), we covered why Section 230 is important, how it works, and how panelists proposed to amend it. Part II explored Section 230’s intersection with criminal law.
Here, we ask what DOJ’s real objective with this workshop was. The answer to us seems clear: use Section 230 as a backdoor for banning encryption — a “backdoor to a backdoor” — in the name of stamping out child sexual abuse material (CSAM) while, conveniently, distracting attention from DOJ’s appalling failures to enforce existing laws against CSAM. We conclude by explaining how to get tough on CSAM to protect kids without amending Section 230 or banning encryption.
Banning Encryption
In a blistering speech, Trump’s embattled Attorney General, Bill Barr, blamed the 1996 law for a host of ills, especially the spread of child sexual abuse material (CSAM). But he began the speech as follows:
[Our] interest in Section 230 arose in the course of our broader review of market-leading online platforms, which we announced last summer. While our efforts to ensure competitive markets through antitrust enforcement and policy are critical, we recognize that not all the concerns raised about online platforms squarely fall within antitrust. Because the concerns raised about online platforms are often complex and multi-dimensional, we are taking a holistic approach in considering how the department should act in protecting our citizens and society in this sphere.
In other words, the DOJ is under intense political pressure to “do something” about “Big Tech” — most of all from Republicans, who have increasingly fixated on the idea that “Big Tech” is the new “Liberal Media” out to get them. They’ve proposed a flurry of bills to amend Section 230 — either to roll back its protections or to hold companies hostage, forcing them to do things that really have nothing to do with Section 230, like be "politically neutral" (the Hawley bill) or ban encryption (the Graham-Blumenthal bill), because websites and Internet services simply can’t operate without Section 230’s protections.
Multiple news reports have confirmed our hypothesis going into the workshop: that its purpose was to tie Section 230 to encryption. Even more importantly, the closed-door roundtable after the workshop (to which we were, not surprisingly, not invited) reportedly concluded with a heated discussion of encryption, after the DOJ showed participants draft amendments making Section 230 immunity contingent on compromising encryption by offering a backdoor to the U.S. government. Barr’s speech said essentially what we predicted he would say right before the workshop:
Technology has changed in ways that no one, including the drafters of Section 230, could have imagined. These changes have been accompanied by an expansive interpretation of Section 230 by the courts, seemingly stretching beyond the statute’s text and original purpose. For example, defamation is Section 230’s paradigmatic application, but Section 230 immunity has been extended to a host of additional conduct — from selling illegal or faulty products to connecting terrorists to facilitating child exploitation. Online services also have invoked immunity even where they solicited or encouraged unlawful conduct, shared in illegal proceeds, or helped perpetrators hide from law enforcement. ...
Finally, and importantly, Section 230 immunity is relevant to our efforts to combat lawless spaces online. We are concerned that internet services, under the guise of Section 230, can not only block access to law enforcement — even when officials have secured a court-authorized warrant — but also prevent victims from civil recovery. This would leave victims of child exploitation, terrorism, human trafficking, and other predatory conduct without any legal recourse. Giving broad immunity to platforms that purposefully blind themselves – and law enforcers – to illegal conduct on their services does not create incentives to make the online world safer for children. In fact, it may do just the opposite.
Barr clearly wants to stop online services from “going dark” through Section 230 — even though Section 230 has little (if any) direct connection to encryption. His argument was clear: Section 230 protections shouldn't apply to services that use strong encryption. That’s precisely what the Graham-Blumenthal EARN IT Act would do: greatly lower the bar for enforcement of existing criminal laws governing child sexual abuse material (CSAM), allow state prosecutions, and civil lawsuits (under a lower burden of proof), but then allow Internet services to “earn” back their Section 230 protection against this increased liability by doing whatever a commission convened and controllled by the Attorney General tells them to do.
Those two Senators are expected to formally introduce their bill in the coming weeks. Undoubtedly, they’ll refer back to Barr’s speech, claiming that law enforcement needs their bill passed ASAP to “protect the children.”
Barr’s speech on encryption last July didn’t mention 230 but went much further in condemning strong encryption. If you read it carefully, you can see where Graham and Blumenthal got their idea of lowering the standard of existing federal law on CSAM from “actual knowledge” to “recklessness, which would allow the DOJ to sue websites that offer stronger encryption than the DOJ thinks is really necessary. Specifically, Barr said:
The Department has made clear what we are seeking. We believe that when technology providers deploy encryption in their products, services, and platforms they need to maintain an appropriate mechanism for lawful access. This means a way for government entities, when they have appropriate legal authority, to access data securely, promptly, and in an intelligible format, whether it is stored on a device or in transmission. We do not seek to prescribe any particular solution. ...
We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption. Such encryption regimes already exist. For example, providers design their products to allow access for software updates using centrally managed security keys. We know of no instance where encryption has been defeated by compromise of those provider-maintained keys. Providers have been able to protect them. ...
Some object that requiring providers to design their products to allow for lawful access is incompatible with some companies’ “business models.” But what is the business objective of the company? Is it “A” — to sell encryption that provides the best protection against unauthorized intrusion by bad actors? Or is it “B” — to sell encryption that assures that law enforcement will not be able to gain lawful access? I hope we can all agree that if the aim is explicitly “B” — that is, if the purpose is to block lawful access by law enforcement, whether or not this is necessary to achieve the best protection against bad actors — then such a business model, from society’s standpoint, is illegitimate, and so is any demand for that product. The product jeopardizes the public’s safety, with no countervailing utility. ...
The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.
In other words, companies choosing to offer encryption should have to justify their decision to do so, given the risks created by denying law enforcement access to user communications. That’s pretty close to a “recklessness” standard.
Again, for more on this, read Berin’s previous Techdirt piece. According to the most recently leaked version of the Graham-Blumenthal bill, the Attorney General would no longer be able to rewrite the “best practices” recommended by the Commission. But he would gain greater ability to steer the commission by continually vetoing its recommendations until it does what he wants. If the commission doesn’t make a recommendation, the safe harbor offered by complying with the “best practices” doesn’t go into effect — but the rest of the law still would. Specifically, website and Internet service operators would still face vague new criminal and civil liability for “reckless” product design. The commission and its recommendations are a red herring; the truly coercive aspects of the bill will happen regardless of what the commission does. If the DOJ signals that failing to offer a backdoor (or retain user data) will lead to legal liability, companies will do it — even absent any formalized “best practices.”
The Real Scandal: DOJ’s Inattention to Child Sexual Abuse
As if trying to compromise the security of all Internet services and the privacy of all users weren’t bad enough, we suspect Barr had an even more devious motive: covering his own ass, politically.
Blaming tech companies generally and encryption in particular for the continued spread of CSAM kills two birds with one stone. Not only does it offer them a new way to ban encryption, it also deflects attention from the real scandal that should appall us all: the collective failure of Congress, the Trump Administration, and the Department of Justice to prioritize the fight against the sexual exploitation of children.
The Daily, The New York Times podcast, ran part one of a two-part series on this topic on Wednesday. Reporters Michael Keller and Gabriel Dance summarized a lengthy investigative report they published back in September, but which hasn’t received the attention it deserves. Here’s the key part:
The law Congress passed in 2008 foresaw many of today’s problems, but The Times found that the federal government had not fulfilled major aspects of the legislation.
The Justice Department has produced just two of six required reports that are meant to compile data about internet crimes against children and set goals to eliminate them, and there has been a constant churn of short-term appointees leading the department’s efforts. The first person to hold the position, Francey Hakes, said it was clear from the outset that no one “felt like the position was as important as it was written by Congress to be.”
The federal government has also not lived up to the law’s funding goals, severely crippling efforts to stamp out the activity.
Congress has regularly allocated about half of the $60 million in yearly funding for state and local law enforcement efforts. Separately, the Department of Homeland Security this year diverted nearly $6 million from its cybercrimes units to immigration enforcement — depleting 40 percent of the units’ discretionary budget until the final month of the fiscal year.
So, to summarize:
- Congress has spent has half as much as it promised to;
- DOJ hasn’t bothered issuing reports required by law — the best way to get lawmakers to cough up promised funding; and
- The Trump Administration has chosen to spend money on the political theatre of immigration enforcement rather than stopping CSAM trafficking.
Let that sink in. In a better, saner world, Congress would be holding hearings to demand explanations from Barr. But they haven’t, and the workshop will allow Barr to claim he’s getting tough on CSAM without actually doing anything about it — while also laying the groundwork for legislation that would essentially allow him to ban encryption.
Even for Bill Barr, that’s pretty low.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cda 230, congress, csam, doj, encryption, funding, section 230, william barr
Reader Comments
Subscribe: RSS
View by: Time | Thread
So when will Barr demand that everybody carries a mobile phone, with the mic switched on at all times. and remain in range of that mic at all times, just in case the police want to listen in to their conversations?
The above should be sarc but......
[ link to this | view in chronology ]
We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption.
"Why don't you just nerd harder, nerds. Give us what we want And we'll take your lunchmoney"
[ link to this | view in chronology ]
Anything is easy when you don't have to do it
We are confident that there are technical solutions that will allow two plus two to equal five without materially weakening mathematics.
Anytime he tries the 'it's possible if you just try hard enough' line it needs to be thrown in his face that what he's actually asking is for a paradox, encryption that is both broken and secure at the same time, and the entire discussion needs to be stopped right there until he admits that it can't be done or that he's okay with mandating broken encryption that would leave hundreds of millions at risk.
As he's not even remotely honest enough for either that would shut the conversation down nicely, saving everyone time and brain-cells.
[ link to this | view in chronology ]
Re: Anything is easy when you don't have to do it
Anytime he tries the 'it's possible if you just try hard enough' line...
Someone should ask they question as to why they don't try harder. Why should tech have to compensate for lazy cops?
[ link to this | view in chronology ]
Bill Barr says...
... Go down the hall and ask Ron Wyden... You know he still works there and kind of wrote Section 230, right?
[ link to this | view in chronology ]
Re: Bill Barr says...
Why would he do that, clearly Barr knows what the people who wrote 230 really meant, and it just so happens to exactly match what he wants.
[ link to this | view in chronology ]
If this dickhead is actually successful and gets what he's asking for it will amount to the next large step in the dystopian direction we've been heading in for some time now. It's not all the current administration, either. The previous handful of administrations are all complicit, too, to varying degrees. This step in particular is, imo, the tipping point between the people having some power and/or ability to gain it back and the government having so much power there is no possible recovery; We'll be locked into this government forever with no recourse. Scary times.
[ link to this | view in chronology ]
From this I can only conclude that Barr has absolutely no idea what he's talking about.
A service may have tried to invoke immunity, but that doesn't mean they got it.
which means 230 won't cover them because they're the speaker of the content, so no immunity here
which 230 doesn't apply to, so no immunity here either. If there's a case where a provider did get 230 immunity for one of these things, [citation needed].
How, exactly, does 230 do that? There is literally nothing in the language of 230 that speaks to warrants, much less empowers a service provider to ignore one. Issuance of a warrant also implies a criminal investigation, and 230 doesn't apply to criminal law.
No it doesn't. It just requires that civil recovery come from the party that actually committed the offense.
Um, except for the fact that that's exactly what the law did before 230. You had to blind yourself to get immunity. One of the reasons 230 was created was to help correct that absurdity. It allows a provider to not blind themselves to things that they don't want on their platform by not holding them liable for anything they might have missed.
[ link to this | view in chronology ]
Re:
From this I can only conclude that Barr has absolutely no idea what he's talking about.
That would be a grave mistake, both because it would be heavily underestimating an enemy(and he very clearly sees the public as the enemy) and basing your position on faulty ground, that being that if you just explain things right he'll change his mind. No, at this point your conclusion should be that Barr knows exactly what he's asking for and simply doesn't care what the effects would be.
He wants encryption gone and he doesn't give a damn who gets hurt in the process or how much he has to lie to get it.
[ link to this | view in chronology ]
Child abuse.
I have problems with my attention span. When this administration claims that it is necessary to restrict privacy and freedom of speech in order to protect children better from abuse, I tend to blank out because of having problems reconciling that with their desire to separate children of immigrants from their parents, lock them up in cages, and keep them worse than most kennel dogs concerning sanitary conditions and nourishment.
[ link to this | view in chronology ]
Re: Child abuse.
To be fair it's not just the Trump administration which formulates and executes child abuse by legislation.
Other administrations simply pretended to care. You could argue that democrat administrations pretend more convincingly than republicans, in some cases even to where a few children DO benefit, but as a general rule neither party gives much of a shit what happens to children.
Allow children to vote and you'll see some real attempts to mitigate the harm done to them.
Or make sure the people who end up in office are genuine human beings rather than politicians used to seeing other people as objects. Either works.
[ link to this | view in chronology ]
but also prevent victims from civil recovery
No it doesn't. It just requires that civil recovery come from the party that actually committed the offense.
Distributor liability recognizes that spreading defamation is a separate offense from publishing it. A search engine with 230-immunity can turn a blind eye to defamation which resides in its search results, thus precluding the person harmed by the blind eye (not the original defamation, which might have been on a very small site) from seeking recovery.
[ link to this | view in chronology ]
Re:
Nobody believes you, Herrick.
[ link to this | view in chronology ]
Re:
It is still the responsibility of the defamer, not whatever platforms, which includes search engines.
[ link to this | view in chronology ]
Re:
That might matter if a search engine was a distributor. However, "distribution" and "giving directions" are not the same thing.
[ link to this | view in chronology ]
Go away, Jhon.
[ link to this | view in chronology ]
Re:
"A search engine with 230-immunity can turn a blind eye to defamation which resides in its search results..."
So what you are saying is that making an accurate street map or phone index should result in liability and prosecution?
Still not your best work, Baghdad Bob. Your performance when you waxed eloquently about lives being lost - because people are allowed to speak - was a lot more hilarious.
[ link to this | view in chronology ]
Re:
I believe we’ve had this conversation before: US law does not recognize distributor liability the way you think it does, and the search engine would have had no way of knowing the content was even false, let alone defamatory, until it was proven such in a court of law. When it comes to defamation suits in the US, justifiable ignorance is a defense.
[ link to this | view in chronology ]
'You can't get me, I've got the 'think of the children' shield!'
That last point is really the kicker, and should be shoved in the face of everyone trying to push this dangerously stupid idea every single time they try to bring it up. The government already has the tools and yet they have shown they simply do not care, so why exactly should they be given more tools, ones which will have immense costs to the public, under the assumption that this time they'll actually use them to 'save the children'?
From from being against exploiting children those involved in the process show that if anything their objection is that someone else is doing the exploiting instead of them, as they clearly have no problem using the plight of exploited children for their own dishonest ends after being denied elsewhere.
[ link to this | view in chronology ]
censorship is not unlike universal healthcare, something that by a certain flawed logic will save the youth, but is incapable of achieving it, in reality, and the result will of course be maleficent with either. we all can see plainly how China's censorship has hampered the WHO relating to COVID 19, and who can turn a blind eye to the unoversal healthcare failure of Venezuela?
[ link to this | view in chronology ]
Re:
Meanwhile in every country that isn't a kleptocracy, universal healthcare works just fine in providing a cheaper and better care which a majority of US-citizens can only dream about.
Fun fact: Citizens of Cuba have better health-care in general when compared to the USA... And it's free...
[ link to this | view in chronology ]
Re: Re:
Cubans are completely unable to receive the advanced care that you can receive readily in American suburbia.
[ link to this | view in chronology ]
Re: Re: Re:
Assuming for a moment you are correct access to better healthcare means nothing if you can't afford it.
[ link to this | view in chronology ]
Re: Re: Re:
"Cubans are completely unable to receive the advanced care that you can receive readily in American suburbia."
If the difference is that the health care less than 1% of americans can really afford isn't available in a 3rd-world country is to be considered the lynchpin of the argument then what you've got is a decidedly weaksauce argument.
How would you compare it to Europe and most of Asia? You know, most of the affluent industrialized nations?
I think you'll find that the US lack of universal healthcare is one of those things which has most non-americans looking your way in stark disbelief.
[ link to this | view in chronology ]
Re: Re: Re:
Meanwhile, in Canada, the UK, and many other first-world countries, you get free healthcare and the advanced care available in America.
Also, that more advanced care is made available makes no difference to those who cannot afford it.
[ link to this | view in chronology ]
Re:
Sure, China’s censorship was a significant problem with the recent outbreak, but that really has nothing to do with universal healthcare, and the problem might have been even worse without it. As for Venezuela, I fail to see how the failures of a third-world country prove that it would be futile to try in America.
[ link to this | view in chronology ]
I don't see how preventing law enforcement access differs from preventing intrusion by bad actors. Law enforcement is just a subset of bad actors.
[ link to this | view in chronology ]
Re:
Subset, or cornerstone?
[ link to this | view in chronology ]
So what are the chances the democrats support this bs? I know they fall for the "think of the children" crap too (see - FOSTA) and blame 230 for "bad words" (remember nancy pelosi said something like that last year).
All the dems need to know is if they help pass this I stay home Nov.3rd.
[ link to this | view in chronology ]
Re:
Unfortunately both parties have people who are gunning for 230, albeit for different reasons(one side wants more stuff removed, the other less), so in both cases it's important to keep the heat on and make it clear that voting against 230 is voting against the public and will be returned in kind.
[ link to this | view in chronology ]
Cryptpocalypse now?
[ link to this | view in chronology ]
Re: Cryptpocalypse now?
I'm experiencing a severe lack of paragraphs, did someone steal your enter-key?
PSA: If you want people to read your post, don't make it a wall of text.
[ link to this | view in chronology ]
Re: Cryptpocalypse now?
Your final question:
Yep. It matters, because there are more communists (especially China) connected with FB/Google. Haydan famously declared himself a "libertarian" to guffaws of Maher's crowd. What he was explaining to people, if they would listen, is that he could have implemented crackdowns on various indiscretions that are relatively minor (like drug possession), since it is trivial for them to detect it. In different hands, the US is China. While I disagree with the existence of the NSA at all (and FB/Google, for I would have their practices of collection prohibited, and mandate audits and oversight), the NSA is the least offensive of federal agencies. You know, the thing that got Assange into trouble in the end was that he released CIA stuff. The CIA is presumably entirely communist.
[ link to this | view in chronology ]
Re: Re: Cryptpocalypse now?
"You know, the thing that got Assange into trouble in the end was that he released CIA stuff. The CIA is presumably entirely communist."
I think what was truly unforgivable is that Assange published actual camera footage, including audio, of US gunship pilots knowingly murdering civilians while treating it like a computer game and laughing.
THAT cost them a lot of face.
[ link to this | view in chronology ]
Re: Cryptpocalypse now?
Uh huh. Do go on.
[ link to this | view in chronology ]
Maybe instead of ranting on, Mr. Barr should just go back to his childhood and tell "Big Tech" what he really wants to say.
I know you are, but what am I?
[ link to this | view in chronology ]