Senators Launch Full On Nuclear War Against Encryption: Bill Will Require Broken Encryption, Putting Everyone At Risk
from the stop-pushing-this-bullshit dept
Another day, another bad bill. Just as we’re coming to terms with the EARN IT Act moving forward in Congress, three Senators — Lindsey Graham, Tom Cotton, and Marsha Blackburn — have announced a direct attack on encryption. The full bill is here. It’s 51 pages of insanity that would effectively destroy privacy and security on the internet. This is five-alarm fire bad.
For what it’s worth, Graham is also a co-sponsor of the EARN IT Act, which makes me wonder if he’s going to agree to an amendment of EARN IT that keeps encryption out of it while pushing this bill instead. That’s now the rumor making the rounds, and I even received a press release from an anti-porn activist group supporting this bill because they think it will help clarify that EARN IT won’t end encryption (none of that makes sense to me either, but…)
The announcement of the bill includes all the usual “think of the children” nonsense, claiming that we can’t have encryption because some bad people might use it for bad stuff. The press release summarizes what they claim the bill will do:
Highlights of the Lawful Access to Encrypted Data Act:
- Enables law enforcement to obtain lawful access to encrypted data.
- Once a warrant is obtained, the bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.
- In addition, it allows the Attorney General to issue directives to service providers and device manufacturers to report on their ability to comply with court orders, including timelines for implementation.
- The Attorney General is prohibited from issuing a directive with specific technical steps for implementing the required capabilities.
- Anyone issued a directive may appeal in federal court to change or set aside the directive.
- The Government would be responsible for compensating the recipient of a directive for reasonable costs incurred in complying with the directive.
Incentivizes technical innovation.
- Directs the Attorney General to create a prize competition to award participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.
Promotes technical and lawful access training and provides real-time assistance.
- Funds a grant program within the Justice Department?s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.
In short, this basically says “break encryption, but we won’t tell you how.” We’re right back to “nerd harder” except that this time it’s “nerd harder, or you’re breaking the law.”
Attorney General Barr statement: "I am confident that our world-class technology companies can engineer secure products that protect user information and allow for lawful access."
— Sean Lyngaas (@snlyngaas) June 23, 2020
The problems with this should be evident from all the times we’ve discussed this before, so I’m really not interested in going over it all again. But the quick summary: installing a “backdoor” or “lawful access” to encrypted communications is not a simple technical problem. As cryptography expert Matt Blaze once said, it’s like saying “well, if you can land a man on the moon, why can’t you land a man on the sun.” A backdoor to encryption literally breaks the encryption and opens up a huge host of other problems, none of which are readily solvable. Instead, you just find more and more problems, each of which makes everyone less secure.
The actual text of the bill is even worse than the summary. It’s crazy long so I won’t do a full breakdown here, but will call out a few scary, scary bits. The key part is that this basically requires the end of encryption. While there is some language early on about it not applying if “technically impossible,” there is other language that more or less cancels that out. Specifically, it requires Apple and other large device sellers to backdoor encryption. It is not an option, but a requirement:
DEVICE MANUFACTURERS.?A device manufacturer that sold more than 1,000,000 consumer electronic devices in the United States in 2016 or any calendar year thereafter, or that has received an assistance capability directive under section 3513, shall ensure that the manufacturer has the ability to provide the assistance described in subsection (b)(2) for any consumer electronic device that the manufacturer?
??(A) designs, manufactures, fabricates, or assembles; and ??(B) intends for sale or distribution in the United States.
So, if you sell more than a million consumer electronic devices in the US, you are required to make sure they have backdoors. That’s… going to be a LOT of backdoors. Every Alexa device. Every smart TV. And, of course, every phone. That’s devices. How about apps and services? More of the same:
PROVIDERS OF REMOTE COMPUTING SERVICE; OPERATING SYSTEM PROVIDERS.?A provider of remote computing service or operating system provider that provided service to more than 1,000,000 subscribers or users in the United States in 2016 or any calendar year thereafter, or that has received an assistance capability directive under section 3513, shall ensure that the provider has the ability to provide the assistance described in subparagraphs (A) and (B) of subsection (b)(2) for any remotely stored data that the provider processes or stores.
That’s… a lot of websites that will be barred from using real end-to-end encryption. The “shall ensure” part is what should scare everyone.
That’s still talking about data stored on those servers though. As for “data in motion” again, services will have to provide backdoors under this bill. The reference to “technically impossible” only seems to apply to “independent actions of an unaffiliated entity that make it technically impossible to do”. So, the only way to avoid having to break encryption on your own services is to… outsource it to an unaffiliated entity who can make it impossible for you to break the encryption?
As for messaging services: again, the bill “shall ensure” assistance:
A provider of wire or electronic communication service that had more than 1,000,000 monthly active users in the United States in January 2016 or any month thereafter, or has received an assistance capability directive under section 3513, shall ensure that the provider has the ability to provide the information, facilities, and technical assistance described in section 2518(4).
And it gets worse. The bill allows the Attorney General to order someone to break encryption:
If a person fails to comply with a directive issued under subsection (b), the Attorney General may file a petition for an order to compel the person to comply with the directive in the United States District Court for the District of Columbia, which shall have jurisdiction to review the petition.
There’s also a giant “NERD HARDER” section, which explains Bill Barr’s comments above. Basically it creates a contest, run by the Attorney General, to create a type of backdoored encryption where the Attorney General and his hand-picked judges will determine which technology wins. And by “wins” I mean loses, because that technology will be broken in no time at all, putting everyone at risk.
This whole thing is so incredibly dangerous, and it’s not even clear that encryption is a real problem for law enforcement. The basic cost-benefit analysis here is that this law would put everyone, and all our communications, at risk of attack, for a possible benefit in a tiny number of cases, where there remains no evidence that a backdoor would have helped stop any crime. I can’t see how the tradeoff is worth it, and any elected official pushing this nonsense should be asked to explain how they weigh these costs and benefits. And if they answer like Bill Barr by saying “smart techies can figure it out” they should have their views discounted for being idiots.
Meanwhile, the press release leads off with quotes from the three sponsors, all of which are head-bangingly wrong, but designed to do the usual tugging at the emotional strings rather than any actual recognition of what they’re pushing here:
?Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities. In recent history, we have experienced numerous terrorism cases and serious criminal activity where vital information could not be accessed, even after a court order was issued. Unfortunately, tech companies have refused to honor these court orders and assist law enforcement in their investigations. My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks,? said Graham.
There remains little evidence that terrorists have been able to communicate without law enforcement being able to access the info. Remember, the FBI flat out lied about how many devices it had in its possession that it couldn’t get into, and has since refused to give an updated number (despite multiple requests). At the same time, every time the FBI does come out and point to a situation where it can’t get into a phone, a few months later, they seem to admit that, well, actually, there was a technology that let them get in.
On top of that, we’ve discussed how law enforcement and the FBI have access to so much other information thanks to social media, and various open source intelligence tools, that the idea that they need to attack encryption is just ridiculous.
And that leaves out something else too: if we put backdoors into encryption, guess what will become a huge target for “terrorists and criminals”? That’s right: all of our communications.
?Tech companies? increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity. Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,? said Cotton.
This is just a joke. The internet is not “lawless” and there’s no indication of increased criminal activity, nor any evidence that law enforcement cannot solve crimes because of encryption or the internet. This bill won’t ensure anything other than opening up a new avenue for terrorists and criminals to terrorize.
?User privacy and public safety can and should work in tandem. What we have learned is that in the absence of a lawful warrant application process, terrorists, drug traffickers and child predators will exploit encrypted communications to run their operations,? said Blackburn.
Yes, user privacy and public safety do work in tandem. But you know would would ruin that? Breaking encryption and throwing both of those things into the gutter.
This bill should be trashed and these three Senators (and the Attorney General) deserve mockery for a technically ignorant, totally clueless and dangerous bill that would harm Americans and destroy both privacy and security, because some law enforcement agencies are too lazy to do their jobs. Frankly, the intelligence community should come out screaming about this bill as well, as they know full well how much more dangerous this will make their own work. This is a ridiculous attack on the internet.