Will Silicon Valley have to choose between end-to-end crypto and shutting down speech it hates?

Episode 274 of the Cyberlaw Podcast

|The Volokh Conspiracy |

Our guests this week are Paul Scharre from the Center for a New American Security and Greg Allen from the Defense Department's newly formed Joint Artificial Intelligence Center. Paul and Greg have a lot to say about AI policy, especially with an eye toward national security and strategic competition with China. Greg sheds some light on DOD's activity, and Paul helps us understand how the military and policymakers are grappling with this emerging technology. But at the end of the day, I want to know: Are we at risk of losing the AI race with China? Paul and Greg tell me not all hope's lost – and how we can retain technological leadership.

In what initially seemed like a dog-bites-man story, Attorney General Barr revived the "warrant-proof" encryption debate. He brings some thoughtful arguments to the table, including references to practical proposals by GCHQ, Ray Ozzie, and Matt Tait. Nick Weaver is skeptical toward GCHQ's proposal. But I think the future of the debate will be driven by Facebook's apparent plan to drastically undermine end-to-end encryption by introducing content moderation to its encrypted messaging services. I argue that Silicon Valley is so intent on censoring its users that it is willing to sacrifice confidentiality and security (at least for anyone to the right of George W. Bush). News Roundup newcomer Dave Aitel thinks I'm wrong, at least in my attribution of Facebook's motivations.

Mieke Eoyang, another News Roundup newcomer, brings us up to date on all the happenings in election security. Bob Mueller's testimony brought Russian election meddling to the fore. His mistake, I argue, was testifying first to the hopelessly ideological House Judiciary Committee. Speaking of Congress, Mieke notes that the Senate Intel Committee released a redacted report finding that every state was targeted by Russian hackers in the 2016 election – and argues that we're still not prepared to handle their ongoing efforts.

Congress is attempting to create a federal election security mandate through several different election security bills, but they likely will continue to languish in the Senate, despite what Mieke sees as a bipartisan consensus. Meanwhile, Director of National Intelligence Dan Coats, now on his way out, has established a new office to oversee and coordinate election security intelligence. Nick adds an extra reason to double down on election security: How else can we convince the loser that he is indeed the loser?

In other news, NSA is going back to the future by establishing a new Cybersecurity Directorate. Dave sheds light on the NSA's history of reorganizations and what this new effort means for the Agency. Dave and I think there's hope that this move will help NSA better reach the private sector – and even give DHS a run for its money.

I also offer Dave the opportunity to respond to critics who argued that his firm, Immunity Inc., was wrong to include a version of the BlueKeep exploit in its commercial pentesting software. The long and the short of it: If a vulnerability has been patched, then that patch gives an adversary everything they need to know to exploit that vulnerability. It only makes sense, then, to make sure your clients are able to protect themselves by testing exploits against that vulnerability.

Mieke brings us up to speed on the cybercrime blotter. Marcus Hutchins, one of Dave's critics, pled guilty to distributing the Kronos malware but was sentenced to time served thanks in part to his work to stop the spread of the WannaCry ransomware. Mieke says that Hutchins's case is a good example that not all black hat hackers are irredeemable. I note that it was good for him that he made his transition before he was arrested. Dave and Nick support the verdict while lamenting how badly hackers are treated by US law.

We round out the News Roundup with quick hits: Facebook had a very bad week, not least because of the multibillion dollar fine imposed by the FTC; the Department of Justice is going to launch a sweeping antitrust investigation into Big Tech; there was a wild hacking conspiracy in Brazil involving cell phones, bribes, and carwashes; Equifax reached a settlement with the FTC regarding its epic data breach. Speaking of which, we make a special offer to loyal listeners who can now claim a $125 check (or free credit monitoring, if you really prefer). Just go here, and be sure to tell them the Cyberlaw Podcast sent you. Oh, and an anti-robocall bill finally made it through both houses of Congress.

Download the 274th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

NEXT: Rand Paul Takes an Unpleasant Cue from Trump, Offers Rep. Ilhan Omar Flight to Somalia

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. I can’t say I’m at all surprised about FB prioritizing it’s own censorship over its customers’ privacy; FB prioritizes EVERYTHING over its customers’ privacy.

    But I think you underestimate the market for communications Zuckerberg can’t read. Any OS with built in censorship is going to be DOA.

    1. Same thoughts. The tech giants have lost a lot of credibility from their waffling and deceit. Someone will come along with true impartiality and privacy, and collect enough customers to thrive.

      1. In the long term, you’re correct. Someone will come along with a better product and the market will follow. But the “tech giants” are already trying to produce that product.

        There’s about a third of population that wants to feel oppressed, so they’ll invent it and swear they can see and feel it, and, I Ithink, actually believe it’s real… even though it isn’t. This comes from both right and left, btw, although it’s the righties doing most of the talking about it right now. Oh! Oh! The media is against us because we’re conservative! Oh! Oh! The courts are against us because we’re conservative! Oh! Oh! Big Tech is against us because we’re conservative! It’s right up there with people who see racism everywhere.

      2. Have either of you considered that the reason FB is so popular is because of the censorship? That is that maybe there are a lot of (young) people who want to use a social media site that mistreats people who y’all think are just normal right-of-center truth warriors?

        1. Considered and rejected; It’s just the network effect. People don’t chose FB because other people are censored, you don’t have to follow people you disagree with, so what does it matter that they can say things you disagree with?

          Most sane people just aren’t that concerned about other people saying things they disagree with where they don’t even hear it.

          1. “Considered and rejected”

            That seems to happen pretty consistently to things that don’t fit your preferred ideology.

            1. Look: I have no doubt that there is a powerful faction of the left that regards censorship of dissent as laudable. They pursue it relentlessly, and work hard to worm their way into positions from which they can do it. And they’re quite influential, because most media platforms are owned by leftists, and because, (As Conquest noted.) the left is all about taking over institutions. So if the odd social media platform decides not to play around, they aren’t permitted to just go their own way. They get denied IT and financial services, they get hidden in search results.

              HOWEVER… The left is not remotely a majority of Americans or FB users. The platforms are doing this to please themselves, not their customers.

              1. It may be that they’re doing this to please a tiny minority of their most vocal customers, which is hardly unusual.

                1. It’s fairly unusual in most businesses to kick out customers just because a vocal minority dislikes them. It’s becoming more common, though, as the left works at its deplatforming push.

                  1. Well, not that unusual. Especially if the “vocal minority” is actually a majority.

              2. “HOWEVER… The left is not remotely a majority of Americans or FB users. The platforms are doing this to please themselves, not their customers.”

                The broad center has little interest in the concerns of the wide fringes of either side.

                People don’t choose Facebook because people are censored, true enough. But they aren’t boohooing over the wingnuts who just can’t seem to stay in the TOS being shown the door, either.

                The services are responding to their customers.

                1. Right, they’re responding to one particular very noisy minority of their customers, and only because the people running FB are ideologically allied with that noisy minority. They fail to respond to the equally noisy minority offended by deplatforming and censorship, because they’re ideologically opposed to THAT minority.

                  This is not customer driven at all. It’s management driven.

                  “But they aren’t boohooing over the wingnuts who just can’t seem to stay in the TOS being shown the door, either.”

                  This isn’t a case of not complying with the TOS. It’s a case of FB pretextually claiming (Often non-specific!) violations of the TOS to justify actions against ideological foes.

                  1. “Right, they’re responding to one particular very noisy minority of their customers”

                    The point you continue to overlook is that I’m not talking about a “very noisy minority”. I’m talking about a majority.

                    I’m sorry that your message is poorly received and/or unwelcome to the majority of people who hear it, but… yeah. That’s what it is. Not a vast conspiracy against you led by shadowy figures with connections to top management at every company except, somehow, Fox News.

                    1. Yeah, I know you’re talking about a majority. I’m not humoring your fantasy.

          2. “People don’t chose FB because other people are censored, you don’t have to follow people you disagree with, so what does it matter that they can say things you disagree with?”

            Because there are a lot of (mostly) young people who demand that FB do things that they agree with, and FB does it to please its customers.

            “Most sane people just aren’t that concerned about other people saying things they disagree with where they don’t even hear it.”

            Why do you think that FB is used primarily by people you think are “sane” in this definition? Have you done a lot of research? Also, has it crossed your mind that conservatives won’t stop using FB just because they censor some conservatives?

            1. “Why do you think that FB is used primarily by people you think are “sane” in this definition? ”

              FaceBook has over 200 million users in the US. Just what percentage of the population do you think are nuts?

              1. As much as 40% of the population thinks Trump is doing a good job as President. That’s nuts.

                FB kicks out those users who piss off enough of their other customers to be noticed. In much the same way that any other business will kick out someone who’s chasing other customers away. That’s capitalism at work. It’s a little amusing that it’s the rightwinger’s turn to be complaining about how capitalism works, but… not that amusing, honestly.

                1. “FB kicks out those users who piss off enough of their other customers to be noticed. ”

                  If THAT were true, they’d be kicking off a lot of people on the left, too, like the various Antifa pages that don’t face enforcement of TOS even when they explicitly advocate violence.

                  There’s no getting around it, FB’s actions aren’t against both political fringes, they only deplatform one end of the spectrum.

                  1. Waa Waa Waa.

                    There’s no getting around it. If you want a website to make and enforce the rules you want, you have to build it and own it, and then you get to decide what to allow and what to not allow.

                    Whining that someone else won’t let you use their property the way YOU see fit is just that… whining.

                    1. I know of some florists and bakers who will be glad to hear that.

                      No, seriously, I’m fine with that, so long as they get their Section 230 protection, (Which is predicated on their moderation activities being in good faith.) yanked. They want to exercise editorial control, let them be treated as a publisher, not just a neutral conduit.

                    2. “I’m fine with people using their property as they see fit. So long as they get punished for it.”

                      What other kinds of organizations should face punishment for not letting you use their property in the way they prefer? That snooty golf course that wouldn’t let you do donuts on the greens? That pesky cable-news channel that won’t let you explain your theories of economic prosperity through government intervention?

    2. Allow me to make a plug for Signal: a secure messaging app that works seamlessly across Windows, Mac, Android and iOS. Its messages, voice and video calls cannot be monitored by any government or corporation. And a great feature: disappearing messages that can be set to expire and be deleted automatically after up to a week.

      https://signal.org

  2. No election security bill will make it through Congress for as long as Mitch McConnell thinks that Republicans can benefit from foreign interference in our elections.

    1. McConnell: “Clearly this request is not a serious effort to make a law. Clearly something so partisan that it only received one single solitary Republican vote in the House is not going to travel through the Senate by unanimous consent,”

      I’ve not seen the text of these two bills, but I’ve yet to see a single ‘election security’ bill out of this house that wasn’t larded down with poison pill amendments. Democrats are much less interested in election security than they are opportunities to paint Republicans as opposed to it.

      1. ” Democrats are much less interested in election security than they are opportunities to paint Republicans as opposed to it.”

        THAT must explain why all those Republican election-security bills came out so early.

        What ARE the essential elements of the Republicans’ election-security proposals, other than “people who might vote Democrat get new requirements if they want to vote”

        1. Of course, the biggest challenge to getting an election-security bill passed is getting Trump to sign it.

          For some reason, he’s been… reluctant… to state publicly that foreign opponents of the US wanted to elect the weaker candidate, and worked to get him elected.

          As a result, he (and his supporters) first tried to float the idea that there were no foreigners tampering with our election process, even though there’s video of him asking them for help. When that didn’t work, he briefly tried to go with “they wanted me because I’m such a cool guy they just like me better”. Alas, the news media AREN’T biased enough against him to laugh directly in his face when he tells the whoppers.

          1. “elect the weaker candidate”

            Secretary Reset Button

            “and worked to get him elected”

            Doesn’t follow from first part.

            1. Apparently, some other people ALSO have trouble saying it, too.

        2. I remember rather a lot of election-security bills being proposed when the Rs were in power. As I recall, they were immediately shouted down as “attempts to disenfranchise the voters” whether they really were or not. Putting someone else in a lose-lose situation is not generally a great way to make friends or get things done.

          1. It’s curious that you would frame an attempt to prevent foreign interference in domestic elections as a “lose-lose situation” for Republicans. That’s certainly not how Senate Republicans have framed things. From the Senate Committee on the Judiciary:

            ““Russian interference in the 2016 election exposed just a small piece of our adversaries’ cyber capabilities,” said [Republican Lindsey] Graham. “Seeking to undermine American democracy and our standing on the world stage, hostile nations like Russia, Iran, China, and North Korea work every day to develop new cyber weapons to deploy against the United States. We should be particularly vigilant of our voting systems. This legislation provides the Department of Justice the ability to investigate and prosecute those who seek to manipulate elections systems equipment. The House of Representatives should act quickly to pass this bill to help protect us from further attempts to interfere with the 2020 election.””

            1. The russians have been interfering in our elections since the 1920s. Their effect on our elections now is significantly less than when you had the likes of Duranty covering up for their genocide.

              1. I know. That’s why GOP politicians sometimes say things like “I’m concerned about Russians interfering in our elections.” What is curious is that they aren’t as consistent about that now, as they used to be. Some people (cynically, I know) think this has something to do with the fact that Republicans, and in particular the party’s leader, believe that Russian interference with elections is now good for Republicans.

      2. “I’ve not seen the text of these two bills, but I’ve yet to see a single ‘election security’ bill out of this house that wasn’t larded down with poison pill amendments.”

        Well if you haven’t seen them, how do you know there are poison pills in them? Go look, come back, and tell us what you find objectionable.

        Even if “Democrats are [not] interested in election security” shouldn’t Republicans be? What’s the Republican argument for promoting foreign interference in elections, except that it currently rewards their side? Are you prepared to say that you’re ok with Russian interference in American elections so long as it benefits Republicans?

        1. Election ssecurity is voter ID and forcing paper ballots with metric fucktons of cameras. Problem solved.

          1. Unless you count all the tampered elections that occurred under those conditions to be not “solved”.

        2. How do I know there are poison pills in them? You mean aside from the fact that every election related bill originated by the Democrats I’ve ever looked at was chock full of poison pills, so if these didn’t have any they’d be shocking exceptions?

          I’ve read HR1, it was a joke.

          The “SAFE” act, despite the red flag of having a cutesy acronym, doesn’t appear to contain an poison pills beyond the obvious problem that it would likely be impossible to implement in the remaining time before the 2020 election, despite mandating that it be implemented for that election.

          But, the key point here is, McConnell didn’t refuse to allow them to be voted on. He refused to allow unanimous consent. Is there some reason why Democrats consider a roll call vote on election security bills to be an outrage?

  3. “I argue that Silicon Valley is so intent on censoring its users that it is willing to sacrifice confidentiality and security”

    But the real question is what does the marketplace want?

    Usually the seeds of corporate downfall are planted when a big company thinks that they know better than their customers.

    What does the marketplace want – confidentiality, security, or content moderation? I suspect its not content moderation, that is something that corporate marketing executives think that they want. I suspect what the marketplace wants, or at least a large segment, is confidentiality and security. Facebook will give it to them, or lose market share to some other company.

    1. In contrast, I don’t think it’s confidentiality, or Facebook would no longer exist. People who value privacy aren’t using Facebook in the first place, and Facebook has obviously found enough suckers, er, customers to get by on.

      Microsoft has three decades worth of proof that security comes second to ease-of-use… the biggest complaints came when they finally did implement proper security, and everybody’s favorite programs broke as a result and the OS asked them if it was OK to proceed, and if it was, would they mind proving it by providing an administrator’s name and password?

      1. People who value privacy aren’t using Facebook in the first place

        Has someone who values privacy and knows a bit or two about information security (as its my job) – I use Facebook. The difference is how you use it. Facebook is a tool – that’s all it is. Don’t be an idiot and put your birthdate, address, phone number, etc in a tool that is setup to sell you advertisement. Meanwhile my parents are happy as know I’m alive.

        (one that same note – stop using gmail)

        1. “as someone who values privacy and knows a bit or two about information security (as its my job) – I use Facebook”

          ha-ha-ha… sucker. Sorry, I should have found a way to make that more polite-sounding.

          “(one that same note – stop using gmail)”

          I’d have to START using gmail in order to do that.

    2. “Usually the seeds of corporate downfall are planted when a big company thinks that they know better than their customers.”

      Or, in this case, when big company thinks it knows better than dwb68.

      In any event, what would be the point of Facebook protecting confidentiality? The reason the product is free is because it isn’t confidential. Customers already choose between paying for confidentiality or accepting a free but compromised service. In fact the point (largely) of using Facebook is to project things publicly, to others.

  4. Considering that the first “election secrutity” bill included things like requiring states to allow convicted felons to vote and pre-registering sixteen year olds to vote (and only after the attempt to change the voting age to sixteen was defeated), Mitch McConnell wanting a debate on the bill so that they can see what’s in it before they pass it rather than just pushing it through via “unanimous consent” seems like the prudent course.

    1. “included things like requiring states to allow convicted felons to vote”

      More that 40 states have this already, because felons are still citizens (well, the ones that are citizens are. The ones who aren’t citizens are near the front of the line for deportation hearings.)

      Mitch will never schedule any election security bill for a vote.

      1. Whatever your opinion of mandating felon reenfranchisement nation-wide, it ain’t “election security”. If the Democrats actually wanted election security, they would put forward sharply focused single topic bills.

        They don’t want election security. They want excuses to paint Republicans as opposed to election security.

        Mind, nothing stops McConnell from originating such bills…

        1. ” If the Democrats actually wanted election security, they would put forward sharply focused single topic bills.”

          Because if they did that, things would be totally different, and Mitch would never schedule an election-security bill for a vote as long as he believes R’s are net benefactors of foreign interference.

          “Mind, nothing stops McConnell from originating such bills…”

          Except McConnell being McConnell, that is.

          1. ““Mind, nothing stops McConnell from originating such bills…”

            Except McConnell being McConnell, that is.”

            That’s a fair dig, which is why I included that comment in the first place.

            1. Your voters picked him, both to be a Senator in the first place, and to be the party’s leader in the Senate.

              1. A small subset of our voters picked him to be a Senator, and his fellow Senators picked him to be majority leader.

                1. WHICH kind of voters picked him to be a Senator? WHICH kind of Senators picked him to be party leader?

                  He won both elections where the only people against him were Republicans… so it’s fair to say Republicans picked him. Now, WHY did they pick him? They must think he’s doing a bang-up job, just the kind of Senatorial leadership we need. Sure, the D’s could have put him out on his keister… if there were more of them in Kentucky. Without knowing, so far as I Iknow, a single Kentucky Democrat, I’m going to go ahead and assume they did everything they could to encourage his retirement.

      2. That’s for states to decide, not the federal government to command.

        1. No, the federal government gets a say in who selects federal officers.

    2. What’s the bill number?

  5. Facebook is only E2E encrypted if you do “Secret Conversation”, which I’d never even heard of before looking it up just now to confirm “wait, when was FB Messenger EVER E2E?”.

    (I’d never trust FB on that, either.)

  6. Before digital, we had a physical/fiscal balance between the government’s ability to search and the time and money it took to search. End-to-end strong crypto upsets this balance in one direction and “backdoors” upset in the opposite direction. What we need is crypto that’s expensive and/or time consuming to defeat so that it provides a natural limit on how much snooping the government can do, so that they will only use it in exceptional cases. We keep hearing that we need backdoors to fight terrorist but such technology inevitably ends up being used in routine cases. I would also add that a search is the right to try and look for evidence, not the right to succeed in a search. A backdoor confers the right to succeed in many circumstances. It’s about striking the right balance by limiting capabilities and not relying on trust because any backdoor or weakness will inevitably end up in untrustworthy hands.

    1. What we want is for US to have good, strong, secure encryption, but for THEM to have poor, weak, insecure encryption OR good, strong, secure encryption that we just happen to know how to break readily.

      In ye olden dayes, we solved this problem by treating encryption technology as state secrets and limiting the export of encryption technology the exact same way as we limited the export of munitions and weapon systems.

      Then somebody noticed that other countries weren’t hamstringing their tech sectors by limiting the inclusion of good encryption, and as a result people were buying the foreign products WITH good crypto instead of accepting the American products with bad or no crypto, and they decided that maybe it would be OK if American tech products had good crypto. Around that time, the government floated the idea of key escrow, promising they wouldn’t get into the keys unless they really, REALLY needed to. That idea… didn’t go over.

      So you get to here, where the government really wants to be able to break the crypto of people who are, or at least might be, terrorists and human traffickers and kiddie-porn traders, but everybody wants crypto that can’t be broken.

    2. Yes we saw this with the British RIPA (Regulation of Investigatory Powers Act) which was put forth as “only to be used to go after terrorists, drug king-pins and kiddie molesters” when passed in 2000.

      It took almost no time for the same powers to be used for spying on people to see if they had enrolled their children in a better school than they were entitled to (because plebs), or who were putting the wrong items in the recycle bin. Because there is nothing so petty that it doesn’t demand the full powers of the state.

      This type of bullshit should be stomped on good and hard.

  7. Will Silicon Valley have to choose between end-to-end crypto and shutting down speech it hates?

    Once again – Mr Baker displays he’s completely ignorant of the issues at hand. No surprise.

  8. Election security is fundamentally simple. Go back to paper ballots and require voter id.

    That way, the only fraud will be dead voters coming back to life to vote in chicago. But since that is a fairly small issue, willing to work with the idea.

    1. It needs a bit more than that, if you really want secure elections.

      Periodic voter roll purges to get rid of the non-voting “voters” who are the starting material for absentee ballot fraud. With pre and post election audits.

      Prohibiting “ballot harvesting”.

      More election observers, with serious power to stop things if rules are violated.

      Note, back in the 90’s I was a volunteer for a House campaign that set out to visit every last registered voter in the district. You’d perhaps be surprised at how many of the addresses “voters” were registered at were either non-existent, vacant lots, or non-residential.

      Were those registrations even for real people?

      1. “Periodic voter roll purges to get rid of the non-voting “voters” who are the starting material for absentee ballot fraud. With pre and post election audits. ”

        Cutting voters who don’t live in the district any more? Absolutely fine. Cutting voters who are perfectly valid voters? Not so fine.

        1. But how do you determine if somebody who never votes in person IS a “perfectly valid voter”, without checking on them? Hence the suggestion for audits.

          1. (re-)checking over their documents doesn’t accomplish what you seem to wish it would.

            1. Having somebody other than the local election administrators checking to see if they even exist does accomplish something, though. It would catch cases where they’re manufacturing absentee ballots by having fake people on the voting rolls.

              1. Sure. Along with all those illegal aliens who showed up to vote.

                Maybe check for fake registrations around the time they register, instead of waiting until they go silent.

                1. That might help going forward, but would leave a lot of fake registrations still on the rolls.

                  Personally, I’d favor a registration jubilee every 10 years, where all registrations were canceled out, and you had to reestablish your real world presence and qualifications all over again.

                  1. Not everybody is as fond as you are of the idea of making it harder for citizens to vote. Thankfully.

  9. “Election security is fundamentally simple. Go back to paper ballots and require voter id.”

    It’s that simple if you’re willing to accept that the elections were insecure with paper ballots and voter ID wouldn’t change that. (And no, I’m not just talking about the necro-American vote in Illinois.)

Please to post comments

Comments are closed.