Encryption

Senators Push Sneaky Anti-Privacy Bill

The EARN IT is an attack on encryption masquerading as a blow against underage porn.

|

A cabal of unsavory U.S. senators have introduced a long-anticipated measure that would pressure tech companies to weaken protections for communications privacy in the guise of a measure aimed at child porn.

While the bipartisan bill, S.3398, never mentions the word "encryption," it makes online companies liable for information exchanged by their users unless they adopt practices approved by the government. Smart observers assume that means leaving people's messages open to snoopy officials.

"The Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act would create incentives for companies to 'earn' liability protection for violations of laws related to online child sexual abuse material," asserts a March 5 press release from the Senate Judiciary Committee. The release lists Senators Lindsey Graham (R-South Carolina), Richard Blumenthal (D-Connecticut), Josh Hawley (R-Missouri), and Dianne Feinstein (D-California) as leads on the bill, with an additional three Democrats and two Republicans as co-sponsors.

Civil liberties advocates of all stripes pushed back immediately.

"The measure … would lead to a 'backdoor' in encrypted services, thereby jeopardizing the security of every individual," the American Civil Liberties Union and Americans for Prosperity riposted in a joint response. "Technology experts and civil society organizations have repeatedly warned that backdoors could be exploited by bad actors and that no backdoor could guarantee only law-abiding officials have access."

While the official text of S. 3398 is not yet available, draft copies have circulated for weeks, giving lawyers and tech experts plenty of time to examine its implications. In particular, they've scrutinized the bill's reservation of Section 230 protections against liability for the speech of third parties to only a company that has "implemented, and is in compliance with, the child exploitation prevention best practices published by the Attorney General," in the language of the draft bill.

"This bill is trying to convert your anger at Big Tech into law enforcement's long-desired dream of banning strong encryption," warns Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School. "The AG could single-handedly rewrite the 'best practices' to state that any provider that offers end-to-end encryption is categorically excluded from taking advantage of this safe-harbor option. Or he could simply refuse to certify a set of best practices that aren't sufficiently condemnatory of encryption. If the AG doesn't finalize a set of best practices, then this entire safe-harbor option just vanishes."

That's an extrapolation, of course, since the bill doesn't use the word "encryption" at all. Sen. Blumenthal even flat-out insists, "this is not an encryption bill." But the senators' announcement of the EARN IT Act leans heavily on forcing tech companies to adopt "best practices related to identifying and reporting online child sexual exploitation" or else face "civil recourse if companies choose not to comply with best practices or establish reasonable practices." It's difficult to see how companies are going to detect the exchange of forbidden material if they offer their users end-to-end encryption. They'll have to weaken or abandon such offerings to escape liability for users' communications, but without ever explicitly being told to do so.

But weakening encryption with backdoors, or abandoning it entirely, would also do away with the benefits it offers to people seeking to protect themselves from state surveillance, hackers, identity thieves, and nosy busybodies.

"The bill would fall far short of the goal of protecting children, while at the same time making all Americans less safe and less secure by potentially exposing everyone in society to substantially higher risk from malicious cyber actors, including hostile nation-states," cautions the Media Alliance, a coalition of 25 organizations.

That's an excellent point. People use encryption to protect sensitive information from prying eyes. Such information might involve child pornography, but it's far more likely to consist of financial data, personal communications, timely journalism kept from investigative targets, and political messages likely to draw the ire of government officials. The reasons for using encryption are as real and varied as the reasons for keeping your cash in a safe and your front door locked.

Critics also fret that EARN IT would draft private companies into the senators' potentially unconstitutional and ill-defined crusade against … well, ostensibly against "child sexual exploitation," but really against privacy.

"The proposed bill may not comport with the First Amendment, as numerous categories listed as matters to be addressed in the best practices are written in an overly broad fashion, without clear definitions," the Media Alliance adds. The organization also worries that if tech firms abide by the pressure to search users' communications for forbidden material, "a court could find that such private companies were acting as 'agents of the government.'"

But vagueness and the conscription of private parties to enforce politicians' whims should come as no particular surprise when we're discussion an anti-encryption law that masquerades as a strike against kiddie porn. Nothing is as it seems to be in this bill, which prescribes penalties for violators, with the means of avoiding them to be sketched in at some later date.

"Under EARN IT, the Commission would effectively have the power to change and broaden the law however it saw fit, as long as it could claim that its recommendations somehow aided in the prevention of child exploitation," notes the Electronic Frontier Foundation's Elliot Harmon.

But no matter what details are filled in later, the alleged targets of the billchild pornographersare likely to remain largely immune to its mandates. Already engaged in criminal activity, and warned by the passage of the law, they're bound to turn to legal or illegal stand-alone encryption products and the dark web to keep their secrets.

"Short of a form of government intervention in technology that appears contemplated by no one outside of the most despotic regimes, communication channels resistant to surveillance will always exist," acknowledged a 2016 report from the Berkman Center for Internet and Society at Harvard University.

Lawmakers may despise encryption for the barrier it poses to government surveillance, but their nosy presumption doesn't actually keep kids safe, nor reduce Americans' very real need for privacy. In fact, government officials' overt hostility to public use of end-to-end encryption is all the more reason to keep such privacy protection handywhether or not snoopy senators think we've earned it.

NEXT: Expelled for a Night of Drunken Sex, $283,000 in Debt

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. All they will do is drive techies to implement user end-to-end encryption. Not many people will use it, simply because phones won’t come with it installed. But some will, including terrorists.

    Next step, ban that app. But others will immediately spring up, direct copies.

    Next step, ban similar apps, and there’s where the trouble comes in — how do you define “similar”? If you say any app with end-to-end encryption, how will you detect it? You can’t easily tell from the code itself — it doesn’t have to call “encrypt()” and “decrypt()”, they can be called anything, like “apple()” and “orange()”.

    Step by step, they’ll make life harder for ordinary people and not bother criminals at all.

    1. Which is exactly what makes me think that the true purpose of banning encryption has little to do with terrorists at all..

    2. Just like gun laws.

    3. The great Nice answer I am impressed
      Delhi Girls number

  2. Senators Lindsey Graham (R-South Carolina), Richard Blumenthal (D-Connecticut), Josh Hawley (R-Missouri), and Dianne Feinstein (D-California).

    Well if this group is for it. I’m against.

    1. The four horsemen of statist autocracy.

      1. The four horses’ asses. I don’t mean that the four of them are four horse’s asses, I mean each of them individually is the equivalent of four horses’ asses.

        1. Not the whole ass. Just the ass hole.

    2. Graham and Feinstein teaming up? Say no more, I already hate it.

  3. I am opposed to any and all bills with a name forced by an acronym.
    When I am Emperor, I will keep a legislature around to remind the citizens WHY I came to power, but any bill with a cutsie name will get the sponsors imprisoned in a public square.

  4. i want to also update my security to make a trust for my users if they buy Wikipedia Editing Services and they will 100% feel secure while purchasing something from my websites.

  5. oooh a *law!* will stop those hyper-intelligent computer-types from outsmarting us.

    1. I use a heavily Diffie-Hellman encryption that I wrote using a 2048-bit rotating key. I estimate it would take the NSA over a year to crack a message because the key shifts.

      1. I think even the NSA will take several years for 2048 bit

        1. If you value your privacy spend some time chatting with transenwien ladies

  6. EARN IT

    Well, you can tell it’s not new tax legislation.

  7. At first they be like:

    “The EARN IT is an attack on encryption”

    Then they be like:

    “never mentions the word “encryption,”

    All of this even though:

    “While the official text of S. 3398 is not yet available”

    Still, they be going on like:

    “That’s an extrapolation, of course, since the bill doesn’t use the word “encryption” at all. Sen. Blumenthal even flat-out insists, “this is not an encryption bill.”

    Way to go Reason.

    It’s a rather genius move from what I can see. Going on just the draft it states that companies are not required to scan or search for such material because I’m pretty sure by doing so the site operators then become state agents.

    What this does seem to do is make criteria that could hinder those that set up a site with user-generated content. It’s not about stopping kids from being abused, but rather from stopping it from being shared. We have no idea what the conditions are going to be, but I’m assuming some kind of identity verification. They are using this to put an end to a whole bunch of shit because this would cut back a lot of copyright infringement, revenge porn or just porn in general, defamation, foreign interference, and closet furries.

    Section 230 doesn’t isn’t much of an issue when it comes to companies that only provide direct messaging so I guess view that as like your landline or cell phone. Are those encrypted? Have we been demanding that those communications are encrypted? Even though they’re not are we still using them? Do they verify our identity?

    If they verify every user you’re not going to want to do anything illegal on it even if it is encrypted. The second someone gets busted they have everyone that sent and received anything illegal if they get into the account. If they offer the person busted a great deal then they’ll let them in.

    When you think about it there isn’t a truly secure way to communicate. Even if you whisper something to someone and then shoot them in the head something may have heard the whisper.

  8. The reasons for using encryption are as real and varied as the reasons for keeping your cash in a safe and your front door locked.

    QFMFT. Maybe some politicians will start hyping “Encryption is a basic human right!”

    1. Police can break open a safe and fucking kick down your front door. Since when has a safe or a front door ever stopped the police?

      “Well, we knew he had murdered the woman and was keeping her head in a safe inside his home. Not only could we not break down the front door, but that safe he has is a real bugger to open so we gave up.”

      1. The difference you are ignoring is that the police need a warrant to kick down your door or break open your safe. The proposals described above are intended to prevent you from ever buying locks, curtains or even doors. They are intended to give the government the ability to snoop without needing a warrant.

        1. The only people talking about a backdoor are Reason here. The issue seems to be that with how things are now with a warrant you won’t find shit. With phone calls, texts, etc you leave a record. More importantly, the companies providing the service identify you before allowing you to use the service.

          Expect to be able to encrypt. Just not anonymously and records will have to be kept. What good is a backdoor if it leads to anonymous communications? Because of the 4A the only thing the government can legally do is burden the fuck out of companies thus preventing them from offering things.

          1. “The only people talking about a backdoor are Reason here.” No, Graham has been banging that drum for months now. This legislation is obviously an attempt at an end-run around any resistance.

            Additionally, Feinstein has always been a strong advocate for crime victims. Unfortunately, that has put her on the wrong side of this legislation. She has demonstrated a willingness to dispense with any liberty in the pursuit of bubble-wrapping the population. I’ve always assumed she was fundamentally damaged by discovering the bodies of Milk and Moscone.

            Blumenthal is just a turd. If you haven’t read his history, look it up. He should not be allowed to serve in office above sewer inspector.

            I’ll reserve comments on Hawley, as it’s bad form to criticize the severely retarded.

            1. It’s got 9 supporters in total IIRC. It could pass and most of the arguments I’m seeing against it are emotional ones which isn’t a good sign.

              Politicians want section 230 gone. At first they’re going to try to do what they can to chip away at it and then it’s either not going to matter because sites will stop users from posting or it will get yanked.

              In 2014 11 million instances of child exploitation were reported. In 2019 it was about 70 million. Now, that could be because their ability to detect it increased, but no business wants to have those kinds of numbers. So, the logical step is to not see it and lower the numbers. Anonymous messages with encryption is the answer. You can brag that you caught millions of illegal images, but that means your service is being used by perverts for illegal activity. You look like shit either way. If you can’t see it you can’t report it and they can’t be forced to look for it due to issues with the 4A.

              This was a long-time coming. I’m not blaming the sites and I’m not blaming the politicians. I’m blaming people for being shit. Human beings can suck sometimes and they screw everything up for everyone.

              From the illegal content, to piracy, to all the movements and causes, protests, drug sales, porn, Justin Bieber, foreign interference, misinformation, and Donald Trump getting advertised constantly it was a matter of time.

              1. I stopped reading when you cited made up self-refuting stats. 70 million “exploited” children in one year? How may children do you think there are in the USA? Do you think all of them are exploited?

                _Think_ before posting.

      2. Yes, police can crack a safe or breach the front door, assuming they have a warrant, or exigent circumstances in the case of the door (hard to imagine how that could apply to a safe, but some prosecutors can be very creative when trying to argue against the judge tossing evidence).

        Analogously, the police can brute-force an encrypted file, again assuming a warrant. Of course, if the file was encrypted using a good implementation of AES-256 and the key isn’t on a post-it note or USB drive somewhere, they might have to wait until after the end of the universe for the process to complete…

  9. If they were smart the cabal of unsavory U.S. senators should have wrote the bill in Chinese, tech companies understand it well.

  10. Whether a person agrees with it or not the very fact it gives representative legislative powers to (ONE-KING) the A.G. should be enough for anyone who is against dictatorship to be entirely against it…

    If the AG doesn’t finalize a set of best practices, then this entire safe-harbor option just vanishes.

    1. “If the AG doesn’t finalize a set of best practices, then this entire safe-harbor option just vanishes.”

      That very well may be the point. It would kill interactive computer services. You’d still have shopping, banking, paid porn sites, Hulu, Netflix, Hamsterdance, and personal websites. People could make interactive services, but they could get sued.

      Wouldn’t it be funny if FB, Twitter, and YT died, but Infowars carried on just fine? They have the most secure business model.

  11. So a lot of people hate the current AG, but they want to expand the AG’s ability to write the rules on his/her own.

  12. …timely journalism kept from investigative targets, and political messages likely to draw the ire of government officials.

    And yet you won’t see much mainstream journalism produced that does anything but parrot the government’s position.

  13. “A cabal of unsavory U.S. senators…” made me do a quick count.
    Yep, 100.
    All accounted for.

  14. I am making a good salary from home $1200-$2500/week , which is amazing, under a year back I was jobless in a horrible economy. I thank God every day I was blessed with these instructions and now it’s my duty to pay it forward and share it with Everyone, Here is what I do. Follow details on this web page,.. Read more

  15. This is very Amazing when i saw in my Acount 8000$ par month .Just do work online at home on laptop with my best freinds . So u can always make Dollar Easily at home on laptop…….. Read more

  16. I am making a good MONEY (500$ to 700$ / hr )online on my Ipad .Do not go to office.I do not claim to be others,I yoy will call yourself after doing this JOB,It’s a REAL job.Will be very lucky to refer to this…. Read more  

Please to post comments

Comments are closed.