Senate Waters Down EARN IT At The Last Minute; Gives Civil Liberties Groups No Time To Point Out The Many Remaining Problems

from the this-is-still-a-bad-bill dept

As expected, the EARN IT Act is set to be marked up this week, and today (a day before the markup) Senators Graham and Blumenthal announced a "manager's amendment" that basically rewrites the entire bill. It has some resemblance to the original bill, in that this bill will also create a giant "national commission on online child sexual exploitation prevention" to "develop recommended best practices" that various websites can use to "prevent, reduce, and respond to the online sexual exploitation of children," but then has removed the whole "earn it" part of the "EARN IT" Act in that there seems to be no legal consequences for any site not following these "best practices" (yet). In the original bill, not following the best practices would lose sites their Section 230 protections. Now... not following them is just... not following them. The Commission just gets to shout into the wind.

Of course, we've seen mission creep on things like this before, where "best practices" later get encoded into law, so there remain significant concerns about how this all plays out in the long run, even if they've removed some of the bite from this version.

Instead, the major "change" with this version of EARN IT, is that it basically replicates FOSTA in creating a specific "carve out" for child sexual abuse material (CSAM, or the artist formerly known as "child porn"). It's almost an exact replica of FOSTA, except instead of "sex trafficking and prostitution" they say the same thing about 230 not impacting laws regarding CSAM. This is... weird? And pointless? It's not like there is some long list of cases regarding CSAM where Section 230 got in the way. There are no sites anyone can point to as "hiding behind Section 230" in order to encourage such content. This is all... performative. And, if anything, we're already seeing people realize that FOSTA did nothing to stop sex trafficking, but did have massive unintended consequences.

That said, there are still massive problems with this bill, and that includes significant constitutional concerns. First off, it remains unclear why the government needs to set up this commission. The companies have spent years working with various stakeholders to build out a set of voluntary best practices that have been implemented and have been effective in finding and stopping a huge amount of CSAM. Of course, there remains a lot more out there, and users get ever sneakier in trying to produce and share such content -- but a big part of the problem seems to be that the government is so focused on blaming tech platforms for CSAM that they do little to nothing to stop the people who are actually creating and sharing the material. That's why Senator Wyden tried to call law enforcement's bluff over all of this by putting out a competing bill that basically pushes law enforcement to do its job, which it has mostly been ignoring.

On the encryption front: much of the early concern was that this commission (with Attorney General Bill Barr's hand heavily leaning on the scales) would say that offering end-to-end encryption was not a "best practice" and thus could lead to sites that offered such communication tools losing 230 protections for other parts of their site. This version of EARN IT removes that specific concern... but it's still a threat to encryption, though in a roundabout way. Specifically, in that FOSTA-like carve out, the bill would allow states to enforce federal criminal laws regarding CSAM, and would allow states to set their own laws for what standard counts as the standard necessary to show that a site "knowingly" aided in the "advertisement, promotion, presentation, distribution or solicitation" of CSAM.

And... you could certainly see some states move (perhaps with a nudge from Bill Barr or some other law enforcement) to say that offering end-to-end encryption trips the knowledge standard on something like "distribution." It's roundabout, but it remains a threat to encryption.

Then there are the constitutional concerns. A bunch of people had raised significant 4th Amendment concerns in that if the government was determining the standards for fighting CSAM, that would turn the platforms into "state actors" for the purpose of fighting CSAM -- meaning that 4th Amendment standards would apply to what the companies themselves could do to hunt down and stop those passing around CSAM. That would make it significantly harder to actually track down the stuff. With the rewritten bill, this again is not as clear, and there remain concerns about the interaction with state law. Under this law, a site can be held liable for CSAM if it was "reckless" and there are reasons to believe that state laws might suggest that it's reckless not to do monitoring for CSAM -- which could put us right back into that state actor 4th Amendment issue.

These are not all of the problems with the bill, but frankly, the new version is just... weird? It's like they had that original "earn" 230 idea worked out, and were convinced that couldn't actually work, but were too wedded to the general idea to try to craft a law that actually works. So they just kinda chucked it all and said "recreate FOSTA" despite that not making any sense.

Oh, and they spring this on everybody the day before they mark it up, giving most experts almost no time to review and analyze. This is not how good lawmaking is done. But what do you expect these days?

Filed Under: 4th amendment, best practices, child porn, commission, csam, earn it, encryption, section 230, states

Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue

from the we'll-see-how-this-goes... dept

Help us keep covering stories like these!
Back in December, we wrote about plans by Rep. Mike McCaul and Senator Mark Warner to put together a "commission" to figure out what to do about the encryption "issue." In his speech, McCaul did at least say that "providing a backdoor into everybody's iPhone was not going to be a very good strategy" since it would open things up to hackers, but at the very same time, he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption. He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary. So it's not entirely clear what the point of this Commission is, other than to chase down some mythical solution that doesn't exist.

The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone -- harming the vast majority of good people out there -- or you allow strong encryption, meaning that some bad people can use it. The only way to have strong encryption but not allow the bad guys to use it is to have a technology distinguish who is "bad" from who is "good." I'm pretty sure that's impossible because there's no universal standard for what makes a "bad" or "good" person, and definitely not one that can be implemented in device hardware or software. So a commission seems like a waste of time.

But the Commission is coming... and later today McCaul and Warner are releasing the bill that will form the Commission. Someone kindly leaked us the bill and some related documents over the weekend, so we can give you a bit of a preview. To their credit, it appears that McCaul and Warner have paid attention to the criticism, and really are trying to present a "balanced" commission, rather than one dominated by folks who don't actually understand the technological realities. That's a plus. There's still the negative that what they're basically asking for is impossible, but we'll let that slide for the moment on the basis of "well, their intentions aren't as horrible as we feared...".

So, should this bill pass, the Commission would have 16 members, with the Republicans and Democrats each appointing eight, and that eight that each party appoints would be one person from each of the following fields:

1. Cryptography
2. Global commerce and economics
3. Federal law enforcement
4. State and local law enforcement
5. Consumer-facing technology sector
6. Enterprise technology sector
7. Intelligence community
8. Privacy and civil liberties community

That's actually... not a bad mix overall, though obviously who is appointed will make a huge difference in terms of whether or not we have a useful commission or one that will declare the impossible (and dangerous) possible. The commission will actually have subpoena authority, which is an interesting choice, and will, of course, hold a bunch of hearings. And it's expected to move pretty quickly:

1. Commissioners must be appointed within 30 days of enactment (except for the ex officio).
2. The Commission shall hold its first meeting within 60 days of enactment.
3. The interim report is due within 6 months of the initial meeting.
4. The final report is due within 12 months of the initial meeting.
5. The Commission terminates within 60 days after the final report.

Meanwhile, given that it's almost certain that the commission will not unanimously agree on anything, the final report needs to only be agreed upon by 11 12 of the 16 commissioners. And dissents will be published with the report as well. Even getting to 11 12 may be tricky without some serious compromises. If you assume (which is already unlikely) that the non-law enforcement/intelligence guys would all agree on something, you're still left with the 6 law enforcement and intelligence commissioners. One Two of them would have to be convinced to go along with the report. I mean, it is possible. Michael Hayden and Michael Chertoff have both been going around saying that strong encryption is good and backdoors are bad. So maybe you get someone like them to be one of the "intelligence community" folks on the commission -- but it's still an uphill battle. Update: While the FAQ originally said 11 were needed to agree, the actual legislation says 12, making it that much trickier.

At the very least though, it does seem clear that -- contrary to the concerns of many -- this isn't just a commission set up to say "backdoor all encryption." So while it still seems focused on the impossible, it's still much better than it could have been (and would have been under some other folks in Congress).

Help us keep covering stories like these!

Filed Under: commission, congress, encryption, going dark, mark warner, michael mccaul

As Law To Backdoor Encryption Stalls, Congress Tries Backup Stupid Plan To Backdoor Encryption

from the bad-ideas-all-around dept

Late last year, Senator Richard Burr, who is painfully wrong on encryption, announced that he and Senator Dianne Feinstein were working on new legislation that would mandate backdoors to encryption. Most people recognized that such a bill had little-to-no chance of actually passing Congress, as there are at least enough folks up on Capitol Hill who realize that such a law is incredibly stupid. Given that, it's little surprise that reporter Jenna McLaughlin from The Intercept is reporting that such legislation "has been delayed."

But, fear not, foes of strong encryption, because there's always a plan B. Late last year, we also noted that Rep. Michael McCaul, the head of the House Homeland Security Committee, was going to propose legislation that would create a "commission" bringing tech companies and law enforcement together to work on a way to undermine encryption. While, at the very least, he noted concerns about backdooring encryption (and later noted how backdoors could weaken everyone's security), it hasn't stopped him from moving forward with this commission, and making some fairly ridiculously ignorant statements about all of this.

McCaul, together with Senator Mark Warner (who should know better), has announced that they're moving forward with legislation to set up this commission, and still ridiculously claims that "going dark" is a real problem that needs to be "solved."

McCaul said the group would be given “a tight time frame” to develop “recommendations to the Congress as to what can be done to solve this urgent, and I think very challenging threat to our national security.”

But, as if to underline how little McCaul really seems to understand about the issue, during a press conference about this, he claimed that the "going dark debate" was started by Ed Snowden's use of encryption, leading to a rather sarcastic reply from Snowden himself:

Chairman McCaul on "going dark": "It’s ironic that Edward @Snowden really sort of created all this when he started using encryption."

— Kaveh Waddell (@kavehewaddell) January 19, 2016

Other things Chairman McCaul thinks I created: famine, climate change, bieber. https://t.co/eJ8JWyDy1K

— Edward Snowden (@Snowden) January 19, 2016

It's troubling that the guy who thinks Snowden started the debate on going dark is now apparently going to lead this commission to deal with the "problem" of going dark. Nor is the whole "tight timeline" particularly encouraging. Because the whole thing is based on a false premise that if we just "get smart people in the room," they'll figure out "a solution."

But how many times does it need to be said before law enforcement and politicians understand the rather basic facts: you can undermine encryption, but it makes everyone significantly less safe. There is no way to build technology that says "only the pure of heart may use this technology, while ISIS may not." The second you try to do that, all you end up doing is opening up serious vulnerabilities that will put everyone at risk.

Meanwhile, another report on this planned commission claims that it will "be tasked with developing a solution that doesn’t require a 'backdoor' into encrypted communications." That's obviously better than being tasked with backdooring encryption... but what does that even mean? The whole setup of the discussion and the debate is falsely framed around the idea that strong encryption is a "problem" that needs to be "solved." Saying "but we don't mean backdoors," feels like a semantic game, such as James Comey's ridiculous attempt a few months back, where he insisted that the FBI wants "front doors" instead of backdoors.

If Rep. McCaul and Sen Warner were serious about "Homeland Security," they'd both get on the bandwagon supporting strong encryption because that, and that alone, is the best way to protect computer security for Americans.

Filed Under: backdoors, commission, congress, dianne feinstein, ed snowden, encryption, going dark, mark warner, michael mccaul, richard burr