Senator Blumenthal Is Super Mad That Zoom Isn't Actually Offering The End To End Encryption His Law Will Outlaw
from the also-should-acquaint-himself-with-the-1st-amendment dept
Richard Blumenthal has been attacking internet services he doesn't understand since before he was even a US Senator. It has carried over into his job as a Senator, and was abundantly obvious in his role as a co-sponsor for FOSTA. His hatred of the internet was on clear display during a hearing over FOSTA in which he flat out said that if smaller internet companies couldn't put in place the kind of infrastructure required to comply with FOSTA, that they should go out of business. Blumenthal's latest ridiculous bit of legislation lose your Section 230 protections. And while Blumenthal likes to pretend that the EARN IT Act doesn't target encryption, he also lied about FOSTA and insisted it had no impact on CDA 230 (which it directly amended).
But Blumenthal has now taken his ridiculousness up a notch. Following the (legitimately concerning) reports that the suddenly incredibly popular videoconferencing software Zoom was not actually providing end-to-end encrypted video chats (despite its marketing claims), Blumenthal decided to step in and play the hero sending an angry letter to the company, while linking to the Intercept's original story about Zoom's misleading claims about encryption:
Millions of Americans are now using @zoom_us to attend school, seek medical help, & socialize with their friends. Privacy & cybersecurity risks shouldn’t be added to their list of worries. I'm calling for answers from Zoom on how it handles our private data. https://t.co/CEg1P3T3S1 pic.twitter.com/Vl9XyvxZjb
— Richard Blumenthal (@SenBlumenthal) March 31, 2020
The letter highlights a number of recent claims that have been made about Zoom's security and privacy practices -- some of which are very significant (and a few that aren't as big a deal) -- including the end to end encryption claims:
Does Zoom provide end-to-end encryption, as the term is commonly understood by cybersecurity experts, for video conferences? Please describe when end-to-end encryption is available for users and how the personal data is encrypted?
And this is a legit question and I think it's good that a Senator is asking that. I just think that this particular Senator is the wrong messenger, given his active role in trying to make it impossible for companies like Zoom to offer end-to-end encryption in the first place, as Riana Pfefferkorn (the Associate Director Surveillance & Cybersecurity at Stanford's Center for Internet and Society) pointed out:
You are a co-sponsor of a bill that everyone, including you, knows is a Trojan horse for banning end-to-end encryption. Your bill would FORCE Zoom to do a crappy job protecting privacy and security. #EARNITAct https://t.co/T4DTzaciyB
— Riana Pfefferkorn (@Riana_Crypto) April 1, 2020
And it gets worse. As Pfefferkorn also points out, Blumenthal's claims to be so concerned about cybersecurity and privacy ring hollow when just last month he straight up claimed that you have no right to privacy online:
.@SenBlumenthal is pretending to care about your privacy online. Last month, he took the position that you have no right to privacy online. Here's where he says so: https://t.co/6Je88DqIc3 pic.twitter.com/iLEzsmTck9
— Riana Pfefferkorn (@Riana_Crypto) April 1, 2020
This was in a weak attempt to "respond to concerns" raised about the EARN IT Act. In one of the responses, concerning government mandates for scanning content and how that interacts with the 4th Amendment, Blumenthal, quoting Neil Gorsuch, claims that there's no reasonable expectation of privacy for any content you put online:
In the Ackerman opinion cited by tech companies as raising Fourth Amendment concerns, Gorsuch suggested that the third-party doctrine will protect evidence of CSAM found by a company that privately searched. When a company has terms and conditions that enable it to privately search, there is no Fourth Amendment violation because users lose their reasonable expectation of privacy. Gorsuch stated that “The [Supreme] Court has, after all, suggested that individuals lack any reasonable expectation of privacy and so forfeit any Fourth Amendment protections in materials they choose to share with third parties.”
Of course, as Pfefferkorn further points out, Blumenthal's broken analysis of the Ackerman opinion leaves out some important information. But, still, Blumenthal seems to constantly be talking out of both sides of his mouth. He doesn't believe in an expectation of privacy for content posted online, but he also wants to slam a company for not keeping information private. He doesn't want companies to have end-to-end encryption, but he's angry at Zoom for not having end-to-end encryption.
And that's not the end of the problems with Blumenthal's approach here. While some of the privacy concerns he raises are legit, he lumps them in with ones that are not. For example, for reasons that make no sense at all, he seems to think the relatively new practice of Zoombombing -- in which (often racist trolls from the worst parts of the internet) find publicly linked Zoom events and pop in to be total assholes -- is on par with the other (often legit) security questions raised by Zoom's security practices. Right after his question about end-to-end encryption he asks:
What measures has Zoom put into place to detect and prevent Zoombombing -- intrusions and abuse targeting Zoom meetings? What are the policies governing such abusive behavior, what detection mechanisms are in place, how can users report abusive intrusions, and how quickly does Zoom respond to such incidents?
While there are plenty of questions about how companies can deal with such things, this is not an issue that is under the government's purview. Indeed, as annoying as Zoombombing is, and as quickly as I'm sure Zoom has been working on technology tools to allow meeting hosts to deal with the issue, most Zoombombing is still 1st Amendment protected speech, and a Senator has no business insisting that Zoom silence such activities. And yet, that seems to be exactly what he's focused on doing:
I am calling on Zoom to take urgent & aggressive action to stop the racists, trolls, & peddlers of hate that are silencing & bullying communities. Check out these steps from the @ADL on protecting yourself. https://t.co/Zyium6IflW
— Richard Blumenthal (@SenBlumenthal) April 1, 2020
In that tweet he says: "I am calling on Zoom to take urgent & aggressive action to stop the racists, trolls, & peddlers of hate that are silencing & bullying communities." Yeah, the 1st Amendment (the one you swore to defend) might want to have a word with you about that, Senator. I'm all for Zoom coming up with tools for users of its service to help prevent such trollish behavior, but seriously, these kinds of stunts are not at all new on the internet and have been around for literally decades. That doesn't make the juvenile behavior any less annoying or problematic, but it's not the role of any government official to insist that a company censor people for protected speech, no matter how trollish.
Separately, of course, this ignores that Zoom had already put in place a detailed plan for how to stop Zoombombing over a week before Blumenthal sent the letter. The company still could do more, and it's worth noting that it has since released a detailed plan to deal with the newly raised security and privacy concerns, including a 90 day freeze on all feature development to have the engineering team focus on privacy and security issues. That didn't take Senator Blumenthal's grandstanding -- and, of course, if Blumenthal's EARN IT Act passes, that would make Zoom's job that much more difficult.
I know that Senator Blumenthal loves to grandstand over tech issues, but it might help if he understood the technology, the law, and the Constitution before making such a fool of himself. Unfortunately, for over a decade he's shown a decided lack of interest in doing any of those things, and I guess he has no intention of starting now.
Filed Under: earn it, encryption, fosta, free speech, privacy, richard blumenthal, section 230, security, trolls, zoombombing
Companies: zoom
