Prepare for another attack on privacy in the U.S.

joker44 · 2020-03-13T15:26:42.000Z

The EARN-IT Act Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes [...] [ EARN-IT ] would finally give [AG William] Barr the power to demand that tech companies obey him or face serious repercussions, including both civil and criminal liability. Such a demand would put encryption providers like WhatsApp and Signal in an awful conundrum: either face the possibility of losing everything in a single lawsuit or knowingly undermine their users' security, making all of us more vulnerable to online criminals. So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn't come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they'll go bankrupt if they try to disobey this committee's recommendations. [...] It's the kind of bill you'd come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn't care. Full post on Schneier on Security: https://www.schneier.com/blog/archives/2020/03/the_earn-it_act.html PS: This tactic of devising laws or regulations that do not directly ban certain conduct -- nude lapdances or abortion procedures -- just making it more difficult to operate a club or clinic and stay within the law has been deployed by states to shut-down strip clubs and abortion providers.

Steve Gibson's comments on his podcast Security Now! #758 - 03-17-20

twit.tv

A despicable attack on encryption It surely does appear that our government, embodied by crypto-naive politicians, is, one way or another, going to figure out how to break into the encryption-protected assets of American citizens.

The most recent effort, dubbed the “EARN IT” act is almost despicable. First of all “EARN IT” is the most tortured abbreviation we've encountered in some time. It stands for: “Eliminating Abusive and Rampant Neglect of Interactive Technologies.”

So, get a load of this. What is it that strong data encrypting companies would be “earning”? The legislation proposes to strip the protection provided by section 230 of the Communications Decency Act from certain apps and companies which would then hold them responsible for user- uploaded content... unless they provide a means for “lawful access” to their encryption- protected content.

In other words, the legal protections that currently serve to hold all of our online social media companies harmless for whatever their users post, would now need to be “earned” by allowing law enforcement to have access.

Sadly, EARN IT is a bipartisan effort, having been introduced by (no surprise) anti-encryption crusader Lindsey Graham, Richard Blumenthal and other legislators who continually use the specter of online child exploitation to argue for the weakening of encryption.

Remember that we discussed this back in December 2019: While grilling Facebook and Apple, Lindsey threatened to regulate encryption unless the companies give law enforcement access to encrypted user data while pointing to child abuse.

Graham said to the assembled tech-company heads: “You’re going to find a way to do this or we’re going to go do it for you. We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.”

The EFF notes that one of the problems with the EARN IT bill, among many, is that the proposed legislation “offers no meaningful solutions” to the problem of child exploitation. They wrote:

"It doesn’t help organizations that support victims. It doesn’t equip law enforcement agencies

with resources to investigate claims of child exploitation or training in how to use online platforms to catch perpetrators. Rather, the bill’s authors have shrewdly used defending children as the pretense for an attack on our free speech and security online."

If passed, the legislation will create a “National Commission on Online Child Sexual Exploitation Prevention” tasked with developing “best practices” for owners of Internet platforms to “prevent, reduce, and respond” to child exploitation online. But, as the EFF maintains, “Best practices” would essentially translate into legal requirements:

"If a platform failed to adhere to them, it would lose essential legal protections for free

speech."

It turns out that the “best practices” approach arose from pushback over the bill’s predicted effects on privacy and free speech – pushback that caused its authors to roll out the new structure. The best practices would be subject to approval or veto by the Attorney General (currently William Barr, who has himself already issued a public call for backdoors), the Secretary of Homeland Security (ditto), and the Chair of the Federal Trade Commission (FTC).

CNET talked to Lindsey Barrett, a staff attorney at Georgetown Law’s Institute for Public Representation Communications and Technology Clinic who said that the way that the bill is structured is a clear indication that it’s meant to target encryption:

"When you’re talking about a bill that is structured for the attorney general to give his opinion

and have decisive influence over what the best practices are, it does not take a rocket scientist to concur that this is designed to target encryption."

If the bill passes, the choice for tech companies comes down to either weakening their own encryption and endangering the privacy and security of all their users, or foregoing Section 230 protections and potentially facing liability in a wave of lawsuits.

A senior legislative counsel for the American Civil Liberties Union, said:

"The removal of Section 230 liability essentially makes the ‘best practices’ a requirement. The

cost of doing business without those immunities is too high."

Prepare for another attack on privacy in the U.S.

comments (3)