Senators Pretend That EARN IT Act Wouldn't Be Used To Undermine Encryption; They're Wrong
from the plausible-deniability dept
On Wednesday, the Senate held a hearing about the EARN IT Act, the bill that is designed to undermine the internet and encryption in one single move — all in the name of “protecting the children” (something that it simply will not do). Pretty much the entire thing was infuriating, but I wanted to focus on one key aspect. Senators supporting the bill, including sponsor Richard Blumenthal — who has been attacking the internet since well before he was in the Senate and was just the Attorney General of Connecticut — kept trying to insist the bill had nothing to do with encryption and wouldn’t be used to undermine encryption. In response to a letter from Facebook, Blumenthal kept insisting that the bill is not about encryption, and also insisting (incorrectly) that if the internet companies just nerded harder, they could keep encryption while still giving law enforcement access.
?This bill says nothing about encryption,? Sen. Richard Blumenthal…, said at a hearing Wednesday to discuss the legislation…
?Strong law enforcement is compatible with strong encryption,? Blumenthal said. ?I believe it, Big Tech knows it and either is Facebook is lying ? and I think they?re telling us the truth when they say that law enforcement is consistent with strong encryption ? or Big Tech is using encryption as a subterfuge to oppose this bill.?
No, the only one engaged in lying or subterfuge here is Blumenthal (alternatively, he’s so fucking ignorant that he should resign). “Strong” encryption is end-to-end encryption. Once you create a backdoor that lets law enforcement in, you’ve broken the encryption and it’s no longer stronger. Even worse, it’s very, very weak, and it puts everyone (even Senator Blumenthal and all his constituents) at risk. If you want to understand how this bill is very much about killing encryption, maybe listen to cryptographer Matthew Green explain it to you (he’s not working for “Big Tech,” Senator):
EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct ?best practices? for scanning their systems for CSAM.
Since there are no ?best practices? in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.
So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn?t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they?ll go bankrupt if they try to disobey this committee?s recommendations.
It?s the kind of bill you?d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn?t care.
Or listen to Stanford’s Riana Pfefferkorn explain how the bill’s real target is encryption. As she explains, the authors of the bill (including Blumenthal) had ample opportunity to put in language that would make it clear that it does not target encryption. They chose not to.
As for the “subterfuge” Blumenthal calls out, the only real “subterfuge” here is by Blumenthal and Graham in crafting this bill with the help of the DOJ. Remember, just the day before the DOJ flat out said that 230 should be conditioned on letting law enforcement into any encrypted communications. So if Blumenthal really means that this bill won’t impact encryption he should write it into the fucking bill. Because as it’s structured right now, in order to keep 230 protections, internet companies will have to follow a set of “best practices” put together by a panel headed by the Attorney General who has said multiple times that he doesn’t believe real encryption should be allowed on these services.
So if Blumenthal wants us to believe that his bill won’t undermine encryption, he should address it explicitly, rather than lying about it in a Senate hearing, while simultaneously claiming that Facebook (and every other company) can do the impossible in giving law enforcement backdoor access while keeping encrypted data secure.