Prepare for another attack on privacy in the U.S.
joker44
In the wind
Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes
[...]
[ EARN-IT ] would finally give [AG William] Barr the power to demand that tech companies obey him or face serious repercussions, including both civil and criminal liability. Such a demand would put encryption providers like WhatsApp and Signal in an awful conundrum: either face the possibility of losing everything in a single lawsuit or knowingly undermine their users' security, making all of us more vulnerable to online criminals.
So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn't come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they'll go bankrupt if they try to disobey this committee's recommendations.
[...]
It's the kind of bill you'd come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn't care.
Full post on Schneier on Security: https://www.schneier.com/blog/archives/2…
PS: This tactic of devising laws or regulations that do not directly ban certain conduct -- nude lapdances or abortion procedures -- just making it more difficult to operate a club or clinic and stay within the law has been deployed by states to shut-down strip clubs and abortion providers.
Got something to say?
Start your own discussion
3 comments
SJG
https://twit.tv/shows/security-now/episo…
A despicable attack on encryption
It surely does appear that our government, embodied by crypto-naive politicians, is, one way or
another, going to figure out how to break into the encryption-protected assets of American
citizens.
The most recent effort, dubbed the “EARN IT” act is almost despicable. First of all “EARN IT” is
the most tortured abbreviation we've encountered in some time. It stands for: “Eliminating
Abusive and Rampant Neglect of Interactive Technologies.”
So, get a load of this. What is it that strong data encrypting companies would be “earning”? The
legislation proposes to strip the protection provided by section 230 of the Communications
Decency Act from certain apps and companies which would then hold them responsible for user-
uploaded content... unless they provide a means for “lawful access” to their encryption-
protected content.
In other words, the legal protections that currently serve to hold all of our online social media
companies harmless for whatever their users post, would now need to be “earned” by allowing
law enforcement to have access.
Sadly, EARN IT is a bipartisan effort, having been introduced by (no surprise) anti-encryption
crusader Lindsey Graham, Richard Blumenthal and other legislators who continually use the
specter of online child exploitation to argue for the weakening of encryption.
Remember that we discussed this back in December 2019: While grilling Facebook and Apple,
Lindsey threatened to regulate encryption unless the companies give law enforcement access to
encrypted user data while pointing to child abuse.
Graham said to the assembled tech-company heads:
“You’re going to find a way to do this or we’re going to go do it for you. We’re not going to
live in a world where a bunch of child abusers have a safe haven to practice their craft. Period.
End of discussion.”
The EFF notes that one of the problems with the EARN IT bill, among many, is that the proposed
legislation “offers no meaningful solutions” to the problem of child exploitation. They wrote:
"It doesn’t help organizations that support victims. It doesn’t equip law enforcement agencies
with resources to investigate claims of child exploitation or training in how to use online
platforms to catch perpetrators. Rather, the bill’s authors have shrewdly used defending children
as the pretense for an attack on our free speech and security online."
If passed, the legislation will create a “National Commission on Online Child Sexual Exploitation
Prevention” tasked with developing “best practices” for owners of Internet platforms to “prevent,
reduce, and respond” to child exploitation online. But, as the EFF maintains, “Best practices”
would essentially translate into legal requirements:
"If a platform failed to adhere to them, it would lose essential legal protections for free
speech."
It turns out that the “best practices” approach arose from pushback over the bill’s predicted
effects on privacy and free speech – pushback that caused its authors to roll out the new
structure. The best practices would be subject to approval or veto by the Attorney General
(currently William Barr, who has himself already issued a public call for backdoors), the
Secretary of Homeland Security (ditto), and the Chair of the Federal Trade Commission (FTC).
CNET talked to Lindsey Barrett, a staff attorney at Georgetown Law’s Institute for Public
Representation Communications and Technology Clinic who said that the way that the bill is
structured is a clear indication that it’s meant to target encryption:
"When you’re talking about a bill that is structured for the attorney general to give his opinion
and have decisive influence over what the best practices are, it does not take a rocket scientist
to concur that this is designed to target encryption."
If the bill passes, the choice for tech companies comes down to either weakening their own
encryption and endangering the privacy and security of all their users, or foregoing Section 230
protections and potentially facing liability in a wave of lawsuits.
A senior legislative counsel for the American Civil Liberties Union, said:
"The removal of Section 230 liability essentially makes the ‘best practices’ a requirement. The
cost of doing business without those immunities is too high."