Senators Pretend That EARN IT Act Wouldn't Be Used To Undermine Encryption; They're Wrong
from the plausible-deniability dept
On Wednesday, the Senate held a hearing about the EARN IT Act, the bill that is designed to undermine the internet and encryption in one single move -- all in the name of "protecting the children" (something that it simply will not do). Pretty much the entire thing was infuriating, but I wanted to focus on one key aspect. Senators supporting the bill, including sponsor Richard Blumenthal -- who has been attacking the internet since well before he was in the Senate and was just the Attorney General of Connecticut -- kept trying to insist the bill had nothing to do with encryption and wouldn't be used to undermine encryption. In response to a letter from Facebook, Blumenthal kept insisting that the bill is not about encryption, and also insisting (incorrectly) that if the internet companies just nerded harder, they could keep encryption while still giving law enforcement access.
“This bill says nothing about encryption,” Sen. Richard Blumenthal..., said at a hearing Wednesday to discuss the legislation...
[....]
“Strong law enforcement is compatible with strong encryption,” Blumenthal said. “I believe it, Big Tech knows it and either is Facebook is lying — and I think they’re telling us the truth when they say that law enforcement is consistent with strong encryption — or Big Tech is using encryption as a subterfuge to oppose this bill.”
No, the only one engaged in lying or subterfuge here is Blumenthal (alternatively, he's so fucking ignorant that he should resign). "Strong" encryption is end-to-end encryption. Once you create a backdoor that lets law enforcement in, you've broken the encryption and it's no longer stronger. Even worse, it's very, very weak, and it puts everyone (even Senator Blumenthal and all his constituents) at risk. If you want to understand how this bill is very much about killing encryption, maybe listen to cryptographer Matthew Green explain it to you (he's not working for "Big Tech," Senator):
EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct “best practices” for scanning their systems for CSAM.
Since there are no “best practices” in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.
So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.
It’s the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.
Or listen to Stanford's Riana Pfefferkorn explain how the bill's real target is encryption. As she explains, the authors of the bill (including Blumenthal) had ample opportunity to put in language that would make it clear that it does not target encryption. They chose not to.
As for the "subterfuge" Blumenthal calls out, the only real "subterfuge" here is by Blumenthal and Graham in crafting this bill with the help of the DOJ. Remember, just the day before the DOJ flat out said that 230 should be conditioned on letting law enforcement into any encrypted communications. So if Blumenthal really means that this bill won't impact encryption he should write it into the fucking bill. Because as it's structured right now, in order to keep 230 protections, internet companies will have to follow a set of "best practices" put together by a panel headed by the Attorney General who has said multiple times that he doesn't believe real encryption should be allowed on these services.
So if Blumenthal wants us to believe that his bill won't undermine encryption, he should address it explicitly, rather than lying about it in a Senate hearing, while simultaneously claiming that Facebook (and every other company) can do the impossible in giving law enforcement backdoor access while keeping encrypted data secure.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: earn it, earn it act, encryption, intermediary liability, richard blumenthal, section 230
Reader Comments
Subscribe: RSS
View by: Time | Thread
It won't stop them
There are likely multiple companies, overseas, who are keeping their fingers crossed and hoping and wishing that this bill passes. The profile of these companies are those that have encryption products in existence or in the pipeline, or will start designing their version as soon as the bill passes.
As has been said many time here (and elsewhere) by many people, the bad guys will get their encryption from someone who isn't under the thumb of the US government. There is probably also a large cadre of people who you and I wouldn't classify as bad, but wish to keep their communications private. Journalists, diplomats, negotiators, strategists, and business executives come immediately to mind. The military has already said that this is a really big mistake.
The next step will be for the government to claim these offshore products are munitions and therefore illegal. The fact that many of those 'not bad' users are also ones who fund political campaigns will become painfully clear to politicians when that happens.
[ link to this | view in thread ]
Any encryption product without Gov'ment mark
Yes if bill passed - Only Gov'ment approved encryption. Using Rebel tools to bypass snooping would be like ripping disks. Making and selling devices would be illegal.
Munitions is eye catching.
Software / Hardware to bypass and lockout Gov'ment mandated encryption is safety hazard and is criminal act of terrorism.
[ link to this | view in thread ]
Reminds me...
of the French government claiming that their copyright regime wouldn't mandate automated filters during the debate over there.
[ link to this | view in thread ]
How does this bill impact email services, where the user can use encryption that is outside the providers control, like PGP? Will they be expected to block use for ant email that the service cannot read>
[ link to this | view in thread ]
It'd be a shame if Blumenthal's brakes failed while going down a really steep hill. Think of it as a backdoor into the pressure system that allows his car to stop.
[ link to this | view in thread ]
Re: It won't stop them
So... Google, Facebook, etc.? It would take nothing more than filing a sheet of paper to suddenly be non-US companies. The only reason they haven't already done it is US laws and taxes are far more favorable than those of most other nations. If either of those switches the other way around there is nothing to stop any of them from instantly reducing the US GDP.
[ link to this | view in thread ]
Email services can read this just fine:
[ link to this | view in thread ]
Re: Email services can read this just fine:
I was not asking can email services support encrypted messages at the technical level, but rather would they be allowed to continue to allow encrypted messages on their servers, or would they be held liable if they could not deliver a readable message at the drop of a warrant.
[ link to this | view in thread ]
How to spot a dishonest liar in one easy step...
It’s the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.
Not 'kind of', it is. He and those pushing the train wreck have failed to undermine encryption directly, so they've sunk to trying to slip it through in another manner, making clear for all to see how grossly dishonest and dangerous to the public they really are.
[ link to this | view in thread ]
Re: Re: Email services can read this just fine:
No and yes respectively, as you can be damn sure that 'able to provide access to all data upon request' would be one of the 'best practices' that would be tied to 230 protections.
[ link to this | view in thread ]
Re:
No, just no. The people indifferent about the security and well-being of the public is already too high a number, there is no call for that sort of comment to add to the number.
[ link to this | view in thread ]
Re:
That hasn't been funny since Henry II and Thomas Becket. Or more contemporarily, any movie with a mobster. Don't be making meme-laden threats about a person's safety.
If you must use "it would be a shame if", then try this one:
"Hoist by your own petard", in other words.
[ link to this | view in thread ]
Well the bill seems to not have garnered much support on Capitol Hill yet with congress being preoccupied with the coronavirus so its not likely to pass before the election but they may try to pass it during a lame duck session, how likely is the bill to pass?
[ link to this | view in thread ]
Full circle...
So it seems we have come full circle in regards of encryption.
Once upon a time DES-56 was on the munitions list of things not to be exported from the USA, with EARN IT, it will (and other algorithms) be on the list of munitions forbidden to be imported.
[ link to this | view in thread ]
Re:
This may not be the same bill as the one you are referring to, but it seems at least the House of Representatives is not in a constituent friendly mood.
https://reason.com/2020/03/12/over-objections-from-privacy-advocates-tame-surveillance-bill-sa ils-through-the-house/
[ link to this | view in thread ]
Re: Re:
Looks like that's talking about the other disastrous bill that TD covered today, the fake surveillance 'reform' bill.
[ link to this | view in thread ]
Re
This may not be the same bill as the one you are referring to, but it seems at least the House of Representatives is not in a constituent friendly mood.
https://www.tractorjunction.com/tractor-features-and-specifications/110/
[ link to this | view in thread ]
Re: Any encryption product without Gov'ment mark
...and then when the government approved encryption is made useless by their mandated back doors, nobody legally has encryption. Brilliant.
[ link to this | view in thread ]
Well implemented encryption can't really be stopped. However, the major weakness in cybersecurity has nothing to do with encryption within the US.
[ link to this | view in thread ]
Re: Re: Any encryption product without Gov'ment mark
Encryption is just math, right?
So just stop teaching math, and there won't be any more encryption.
[ link to this | view in thread ]
Re: Re: Re: Any encryption product without Gov'ment mark
I will still have my Captain Midnight decoder ring.
[ link to this | view in thread ]
No one of authority gives a damn about kids and pornography and in this case, the whole aim is to undermine encryption, not protect anyone! The USA is fast becoming the same as a nation that was fought against 75 years ago. What the hell happened? How the hell did we get to this place? Once it's here, with just a very few giving orders that the rest have to follow or suffer the consequences, there'll be no coming back. The Land Of The Free is a long way off and a long time away!
[ link to this | view in thread ]
Re:
No one of authority gives a damn about kids and pornography and in this case, the whole aim is to undermine encryption, not protect anyone!
Oh that's certainly a big part of it, but it's not the entire goal, there's also forcing platforms to be 'neutral', which is to say give certain groups special treatment and stop 'oppressing' them by applying penalties for TOS violations/being repulsive individuals.
[ link to this | view in thread ]
Re: Any encryption product without Gov'ment mark
I feel that, more likely, what will end up happening is chasing the remaining cleartext traffic to the onion web. Can't use client and server side """"""scanning""""""" if the thing they scan is complete garbage that they don't know where it came from.
The idea that we've come all this way just to cripple the internet to keep the three letters out is far more terrifying.
[ link to this | view in thread ]
Re: Email services can read this just fine:
No joke, I would start posting my public key with every message I make if this went into effect.
[ link to this | view in thread ]
Thanks
such a Nice blog share so unique content.
Vorwerk Thermomix TM5
[ link to this | view in thread ]