Bringing encryption restrictions in through the back door
Legislation recently proposed in the US Senate is ostensibly meant to combat "child sexual abuse material" (CSAM), but it does not actually do much to combat that horrible problem. Its target, instead, is the encryption of user communications, which the legislation—tellingly—never mentions. The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020, EARN IT for short, is an attempt to force online service providers (e.g. Facebook, Google, etc.) to follow a set of "best practices" determined by a commission, to combat the scourge of CSAM; the composition of that commission makes it clear that end-to-end encryption will not be one of those practices, but companies that do not follow the best practices will lose liability protection for their users' actions. It is, in brief, an attempt to force providers to either abandon true end-to-end encryption or face ruinous lawsuits—all without "seeming" to be about encryption at all.
The bill
The EARN IT bill (i.e. proposed legislation) would set up a 19-member "National Commission on Online Child Sexual Exploitation Prevention":
The composition of the commission includes three administration officials,
the Attorney General, Secretary of Homeland Security, and chairman of the
Federal Trade Commission, along with 16 other members in several different groups.
Four will be from
law enforcement or the prosecution of CSAM crimes, four will be either
survivors of those crimes or professionals who work with the victims, four
from the "interactive computer service
" industry, two
experienced in constitutional law, consumer protection, or privacy, and two
computer scientists experienced in "cryptography, data security, or
artificial intelligence
". That mention of "cryptography" is as
close as the bill gets to talking about encryption.
The commission only requires 14 of its members to agree on the best practices, however, so the computer scientists and consumer-protection specialists could be ignored entirely, for example. Worse than that, though, is that the Attorney General and other administration officials effectively have veto power over the best practices list. Since they will be participating in the formulation of the list, it seems a tad unlikely that it will not be to their liking. Since the current Attorney General (and, really, all of his predecessors no matter which of the two dominant parties is appointing them) is strongly anti-encryption, one would guess that providing a backdoor "for law enforcement" will make the list.
But the consequences of not following these commission-established rules is where the "earn" part comes in. Companies that offer interactive computer services are currently shielded from liability based on the actions of their users via section 230 of the Communications Decency Act (CDA), which came about in 1996. It effectively treats service providers as mere conduits, rather than as publishers; the latter have far more liability for the content they purvey. Under EARN IT, though, service providers would only continue to receive section 230 protection if they follow the practices that the commission "recommends". Thus, they would earn their right be treated as telecommunications providers—but only if they bow to the best practices, which will certainly curtail true end-to-end encryption for users.
Opposition
Though opponents of EARN IT will be branded as CSAM-enablers, as always, that is not at all what the overwhelmingly vast majority of the opponents are after, of course. It is always the same litany of bad people (e.g. terrorists, abusers of children) that can use encryption to hide their activities, but encryption is used by regular people for their normal activities, which is extremely important to note. The foundation of all financial transactions on the web, for example, is encryption. People would not be able to safely work, bank, shop, and so on from home, while, say, trying to flatten the curve during a pandemic, without encryption. Like it or not—and politicians hate it, if they even believe it—there is no way to have "magic" encryption that works for everything except when law enforcement wants to have a peek.
Over the years, countless cryptographers and security experts have patiently explained that there is no known way, mathematically, to provide a backdoor for the "good guys" without also effectively providing an opening for the "bad guys". Sometimes the definition of "bad guys" differs, of course. There have been numerous instances where rogue law enforcement agencies and individuals have abused various safeguards for their own gain—or even a perceived societal gain. There are also plenty of instances where rogue employees of online providers have accessed information by using backdoors intended to be used only by the authorities.
Weakening encryption makes it less effective for everyone. Lawmakers often seem to forget how much of the government uses the same online services they are targeting; leaving holes for law enforcement also may be leaving holes for attackers, some of whom may be working for the intelligence services of less-than-friendly rivals. Companies and regular folks may be more concerned with interception of their secrets, almost all of which have nothing to do with terrorism, CSAM, or any other illegal activity.
Beyond that, creating a list of best practices may preclude innovations that could actually help combat CSAM. Once the list of best practices has been adopted, it will be slow to change—commissions are simply another name for committees, after all. Providers will be leery of putting their companies at risk by adding features that violate the best practices, even if the result might be that more criminal behavior would be found. It effectively locks providers into what are best practices—at least hopefully, other than encryption restrictions—as they stand today (or, perhaps, in 18 months when the commission is supposed to conclude its work). In a fast-moving environment like the internet of today, that's simply too risky.
As might be guessed, various online privacy advocates, lawyers with a background in internet matters, cryptographers, and others have come out strongly against EARN IT. Perhaps cryptographer Matthew Green put it best:
So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn't come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they'll go bankrupt if they try to disobey this committee's recommendations.
It's the kind of bill you'd come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn't care.
The Electronic Frontier Foundation (EFF) has, unsurprisingly, come out strongly opposed to EARN IT (here too). Riana Pfefferkorn of the Stanford Law School Center for Internet and Society has been analyzing the implications of the bill since before it was even introduced; more recently here and here. There is lots of additional analysis out there, much of it linked from the reactions above. EARN IT is extraordinarily bad legislation in multiple dimensions, with far-reaching effects that may run afoul of the first, fourth, and fifth amendments to the US Constitution (i.e. part of the "Bill of Rights").
Section 230 has been, rightly or wrongly, targeted by various "sides" over the last few years, in part because of the disinformation war that was waged on social media sites during the last US Presidential election (and other elections elsewhere). The so-called "techlash"—backlash against the online service providers such as Facebook and Twitter—is providing cover for EARN IT. One hopes that it was simply a coincidence, but it would seem that many Americans have more important, health-related concerns right now, so they may not be paying close attention to attempts to circumvent the secrecy protections they want—and need. Whether it was planned or not, Covid-19 is definitely providing cover of a different sort for EARN IT.
The most galling thing about attacks against encryption is that, whether they understand it or not, legislators and others who push for backdoors are only hurting regular users for the most part. Those who are technically savvy, or are willing to hire people with those talents, can certainly communicate securely without concern for government surveillance. Mathematics exists, much to the chagrin, if not outright bafflement, of politicians and others; those who need or want effectively unbreakable encryption can have it. Those who cannot have it are the regular users, unless it is made available to them by various social-media platforms and the like. And, as mentioned earlier, some of those regular users are the very legislators behind this attack, alongside much of the rest of the government they are part of. It would almost be comical if it was not so disheartening.
EARN IT is a neat piece of work—in a sick sort of way. It trumpets the oft-used "but what about the children?" battle cry in a ploy to misdirect the public from its actual aims. That, sadly, is so often the case with this kind of legislation. This is a bill worth keeping an eye on—and trying to stop, if possible. It is a well-crafted attack, however, and pushes all the right buttons, so it may well pass; at that point, presumably, the fight will move to the court system. The crypto wars have come yet again ... stay tuned.
| Index entries for this article | |
|---|---|
| Security | Encryption |
| Security | Legislation |