Another Issue With Internet Antitrust Bills: Sloppy Drafting Could Lead To Problems For Encryption
from the not-good,-not-good-at-all dept
As the big push is on to approve two internet-focused antitrust bills, the American Innovation and Choice Online Act (AICOA) and the Open App Markets Act, we’ve been calling out that while the overall intentions of both may be good, there are real concerns with the language of both and how it could impact content moderation debates. Indeed, it seems pretty clear that the only reason these bills have strong support from Republicans is because they know the bills can be abused to attack editorial discretion.
There have been some other claims made about problems with these bills, though some of them seem overblown to me (for example, the claims that the Open App Markets bill would magically undermine security on mobile phones). However, Bruce Schneier now points out another potential issue with both bills that seems like a legitimate concern. They both could be backdoors to pressuring companies into blocking encryption apps. He starts by highlighting how it might work with AICOA:
Let’s start with S. 2992. Sec. 3(c)(7)(A)(iii) would allow a company to deny access to apps installed by users, where those app makers “have been identified [by the Federal Government] as national security, intelligence, or law enforcement risks.” That language is far too broad. It would allow Apple to deny access to an encryption service provider that provides encrypted cloud backups to the cloud (which Apple does not currently offer). All Apple would need to do is point to any number of FBI materials decrying the security risks with “warrant proof encryption.”
Sec. 3(c)(7)(A)(vi) states that there shall be no liability for a platform “solely” because it offers “end-to-end encryption.” This language is too narrow. The word “solely” suggests that offering end-to-end encryption could be a factor in determining liability, provided that it is not the only reason. This is very similar to one of the problems with the encryption carve-out in the EARN IT Act. The section also doesn’t mention any other important privacy-protective features and policies, which also shouldn’t be the basis for creating liability for a covered platform under Sec. 3(a).
It gets worse:
In Sec. 2(a)(2), the definition of business user excludes any person who “is a clear national security risk.” This term is undefined, and as such far too broad. It can easily be interpreted to cover any company that offers an end-to-end encrypted alternative, or a service offered in a country whose privacy laws forbid disclosing data in response to US court-ordered surveillance. Again, the FBI’s repeated statements about end-to-end encryption could serve as support.
Finally, under Sec. 3(b)(2)(B), platforms have an affirmative defense for conduct that would otherwise violate the Act if they do so in order to “protect safety, user privacy, the security of nonpublic data, or the security of the covered platform.” This language is too vague, and could be used to deny users the ability to use competing services that offer better security/privacy than the incumbent platform—particularly where the platform offers subpar security in the name of “public safety.” For example, today Apple only offers unencrypted iCloud backups, which it can then turn over governments who claim this is necessary for “public safety.” Apple can raise this defense to justify its blocking third-party services from offering competing, end-to-end encrypted backups of iMessage and other sensitive data stored on an iPhone.
And the Open App Markets bill has similar issues:
S. 2710 has similar problems. Sec 7. (6)(B) contains language specifying that the bill does not “require a covered company to interoperate or share data with persons or business users that…have been identified by the Federal Government as national security, intelligence, or law enforcement risks.” This would mean that Apple could ignore the prohibition against private APIs, and deny access to otherwise private APIs, for developers of encryption products that have been publicly identified by the FBI. That is, end-to-end encryption products.
Some might push back on this by pointing out that Apple has strongly supported encryption over the years, but these bills open up some potential problems, and, at the very least, might allow companies like Apple to block third party encryption apps — even as the stated purpose of the bill is the opposite.
As Schneier notes, he likes both bills in general, but this sloppy drafting is a problem.
The same is true of the language that could impact content moderation. In both cases, it seems that this is messy drafting (though in the content moderation case, it seems that Republicans have jumped on it and have now made it the main reason they support these bills, beyond general anger towards “big tech” for populist reasons).
Once again, the underlying thinking behind both bills seems mostly sound, but these problems again suggest that these bills are, at best, half-baked, and could do with some careful revisions. Unfortunately, the only revisions we’ve seen so far are those that carved out a few powerful industries.
Filed Under: aicoa, amy klobuchar, antitrust, bruce schneier, encryption, open app markets
Comments on “Another Issue With Internet Antitrust Bills: Sloppy Drafting Could Lead To Problems For Encryption”
Fight for the future supports this
Unbelievable. Even Greer should resign his position. She trust these politicians when they always deceive us. Fight for the future and demand progress are not fighting for a free and open internet. There instead paid off to destroy it
Re:
Fight for the Future and Demand Progress are not fighting for a free and open Internet.
Why is it that organisations that have named themselves in such a way as to make you want to join them have to be so horrible and antagonistic to the ideals their names suggest they are for? Moms for Liberty is another example that immediately springs to mind. 🙀
Re: Re:
They choose “idealistic” names because they sound, well, idealistic. People who don’t do their due diligence on the organization will see the name and think “Oh, this is a group that is focused on all the Good Things(tm)! I’m going to donate to them!”.
H. L. Mencken said “No one in this world, so far as I know … has ever lost money by underestimating the intelligence of the great masses of the plain people.” Groups like these prove him correct.
6th grade
Interesting.
In 6th grade we were asked to make a bill, as they would in Congress.
We got to see sample and all kinds of stuff on how they were created.
I think we did better then these folks.
Have any of these persons ever, been asked to Think around what is said? HOW to take things out of context and manipulate the words and meanings, to use these in ANY other way then what they were designed for?
You say sloppy drafting, I say its the point.
How many times can they pitcha law where they ‘accidentally’ undermine encryption until we can stop pretending that it wasn’t one of the goals?
There are literally hundreds of bills sitting on the sidelines, going no where because Bitch McConnel is a douche. Stop pretending you don’t have time to have your bills reviewed for the top 10 common mistakes or that the bill is to important to review.
Re:
I got 99 problems, but Bitch McConnell ain’t one. 😉
Hand holding or baby crying
Well, …lol.
You own it. Break it however you like. Let the idiots destroy their phones. Have at it.
No, again my only concern with forcing (easier, you already can) side loading on Apple mobile devices is what liability will apple be forced to take on for stupid people.
When an iPhone gets bricked by ransomware and is under warranty, how long before lawsuits fire up to force repair? Not that these suits would go far, but it’s just another burn of money for the company.
I’m not sure how apple could deny anything with an open install system. I’m missing something here? A user could download an app and install it. The only thing apple could actually do is bar using their own services with another service. Direct App interaction. Which is their right.
Or access by non-app store apps to apple’s services. That’s not exactly a new idea. Apple has no mandate (and should have no mandate) to allow some non-apple app access to say, iCloud.
You want something not in the App Store, you should not expect it to work like it came from the App Store.
Buy a generic android tablet not defined and authorised by google you shouldn’t expect playstore, at all, let alone working.
I’ve bought “disposable” tablets from time to time to try running something near-guaranteed to do damage to the device. Those $10-$25 tablets don’t have any google software. Installing playstore (unofficially) may or may not work.
If the idea/concern here is apple could bar non-Apple-approved apps from accessing Apple services and features… GOOD!
That maintains Apple’s security!
The last thing we need to be reading about is some rogue encryption app that encrypts an iCloud Drive and then shuts down, and somehow it’s Apple’s fault.
Looks more like this is demanding you want to do whatever you want on the phone (rightfully) AND demanding that those items work perfectly in harmony despite Apple never approving use.
When you use outside software you throw safety and compatibly out the window, from the walled garden. It’s on the user to know what they’re doing. Nobody has a mandate to hold your hand and never should such a mandate be made.
Re:
You want something not in the App Store, you should not expect it to work like it came from the App Store.
Why not? I sideload apps off APK Pure, and I fully expect them to run like I got them from Google Play. Why should iPhone owners not expect iOS apps from there to run like they’re from the App Store. They’re all built and uploaded by the same devs as on the official stores, after all. If I didn’t know better, I’d think you were encouraging device owners to force monopolies so Google and Apple will be shut down for anti-trust. Oh, wait…
But you guys don’t need encryption of any kind. As we’re always reminding you, if you’ve nothing to hide, then you’ve nothing to fear. Erm, what do you mean, “Espionage Act of 1917”? What’s that? *shuffles uncomfortably* Bye! *flees*