Will Nevada Kill End-To-End Encryption Next Week?
from the what-happens-in-nevada-makes-everyone-less-safe dept
Last month, we wrote about Nevada’s Attorney General filing an absolutely preposterous, but extremely dangerous, legal filing, demanding that a court bar Meta from offering end-to-end encryption for its messaging apps. Almost everything about this request was crazy. First, Nevada sued Meta, with vague, unsubstantiated claims of “harm to children,” and then it filed a demand for a temporary restraining order, blocking Meta from using encryption, giving the company basically a day to respond.
This all seemed weird, given that encryption has been available in tons of places for many, many years, including on some of Meta’s messaging offerings going back years. Why was it suddenly so necessary to stop them immediately? Nevada also claimed that Meta offering encryption was a “deceptive trade practice” because it says it’s offering encryption to keep people safer when, according to Nevada, it’s inherently harmful.
Thankfully, the court did not issue the immediate TRO, but asked the parties to brief the issue and appear for a hearing next Wednesday. Earlier this week, a bunch of organizations, including the ACLU, EFF, Fight for the Future, Internet Society, Signal, and Mozilla all filed an amicus brief that I’d describe as 43-pages of “what the fuck is this, I don’t even…”
The State’s motion for a preliminary injunction attempts to substitute the judgment of the Attorney General’s office for a national policy developed over decades of discussion with multiple stakeholders. The State paints a picture of E2EE as solely a danger to children. But the reason that E2EE has been widely adopted is that it prevents crime-crime affecting both children and adults. The State has many avenues for pursuing its child-safety investigations without this extraordinary order. It is especially ill-advised to upend decades-old, encryption- specific policies based on a reinterpretation of a broad, general purpose law such as the Nevada Unfair and Deceptive Trade Practices Act, N.R.S. 598.0903-598.0947.
While the Attorney General may disagree, the assertion that E2EE is good for children is a mainstream point of view and not properly classified as “deceptive” (Mot. at 16-17). Millions of children have long used E2EE platforms such as WhatsApp and iMessage. It can hardly be “unconscionable” for Meta to upgrade its product to meet the security and privacy standards that other exceedingly popular products-ones the Attorney General has not challenged have offered to the public for years.
The motion for a preliminary injunction that would stop Meta from providing secure communications to its users is baseless and dangerous. Meta’s provision of end-to-end encryption by default to all Messenger users is not deceptive or unconscionable, meaning the State is unlikely to succeed on the merits. To the contrary, because E2EE protects consumers, its continuation will not cause irreparable harm and in fact benefits the public interest (a preliminary injunction factor the State does not discuss). Clark Cnty. Sch. Dist. v. Buchanan. 112 Nev. 1146, 1150, 924 P.2d 716, 719 (1996). The Court should reject the State’s request.
The overall brief is fantastic. It points out, among other things, that historically most conversations were ephemeral and not recorded, and law enforcement didn’t think that people talking to each other was an inherent threat to children.
Society has long recognized that people thrive when we have the ability to engage in private, unmonitored conversations. Sharing confidences enables people to form friendships and intimate relationships, obtain information about sensitive matters, and construct different identities depending on the audience. We know this from our own lives, whether engaging in pillow talk, meeting a friend for a walk, or forming an invitation-only club. Important, human things happen when we can be confident that no one is listening in.
Before the Internet, these conversations were not recorded or preserved. Our words vanished into the air as they were spoken. Unless someone was eavesdropping, conversations were private, secret, and unrecoverable. Police could not access these interactions. Mail carriers did not make copies of letters and senders and recipients were free to write in code or foreign languages and to destroy the documents after they had been received.
In any other era, a claim that government may obligate us to record and preserve our conversations, just in case investigators wanted to review them later. would be laughably ridiculous. It would simply have been beyond the pale to suggest that people could be required to record their conversations in a language that law enforcement could readily understand and access. Basic conversational privacy was assumed, and rightly so.
The brief gives many examples of why end-to-end encryption makes everyone, including children, more secure. It highlights how many government agencies have endorsed encryption.
But also, importantly, it highlights just how stupid this demand is, given that Nevada law enforcement has plenty of ways to investigate criminal actions, even when there is encryption in messaging. After all, Meta has access to metadata, and any victims can directly provide the content to law enforcement as well.
Riana Pfefferkorn (who also signed onto the brief as an amicus) also wrote a column about this case. She notes that Nevada’s request would not only make children less safe, but it’s extremely unlikely that this destruction of encryption would remain local to Nevada.
If the court grants the Nevada AG’s latter-day request after this month’s hearing, the resulting injunction won’t just affect Nevada’s children. Anyone (adult or child) who talks to them, or is mistakenly identified by Meta as being one of them, will no longer get default E2EE on Messenger either. Plus, a successful request in Nevada might inspire copycat demands elsewhere. That multi-state social media addiction lawsuit against Meta that I mentioned above? It has 42 state AGs as plaintiffs. A copycat injunction for Messenger would mean no more default E2EE for most of the country’s children (and a significant number of adults, as said).
Hopefully those other state AGs would pick a wiser course than this one rogue state AG has chosen. Consumer protection regulators have spent years telling Meta to do better at protecting user privacy. Making Messenger E2EE by default is the best thing Meta has done in that regard in a long time. The Nevada AG’s own complaint against Meta says that “[i]n the digital privacy ecosystem, this is a move that might be lauded.” Yet rather than laud it, the Nevada AG is trying to undo it. He would rather force Meta to give the state’s youngest users worse digital privacy and security than everyone else. That isn’t promoting child safety online; it’s undermining it. Even more astonishing, he’s trying to rebrand default E2EE as an unconscionable and deceptive trade practice. Strong encryption isn’t a violation of consumer protection; it’s a vindication of it.
The Nevada AG’s request is so wildly contrary to well-established best practices and long-standing interpretations of consumer protection law that it would almost be funny if it weren’t so dangerous. We can only hope the judge in Nevada laughs him out of court. The children of Nevada deserve better than this.
Hopefully, the court agrees.
Filed Under: aaron ford, encryption, law enforcement, messaging, nevada, riana pfefferkorn
Companies: meta
Comments on “Will Nevada Kill End-To-End Encryption Next Week?”
Encryption turned me into a newt!
Re:
Ahh, but did you get better when the government decided into invade your privacy daily, for your entire life, just for shits and giggles using a backdoor in ironically titled encryption software?
Re: Re:
Listen, strange women lyin’ in ponds distributin’ swords is no basis for a system of government. Supreme executive power derives from a mandate from the masses, not from some farcical aquatic ceremony.
Re: Re: Re:
The speaker for that line was male.
Re: Re:
Don’t be silly. Obviously, we must put Encryption on a set of scales to see if it weighs more than a duck.
Re: Re: Re:
That’s too much work, just throw Encryption into the water and see if it floats or not. If it sinks, it’s good.
Re:
On the second thought, let’s not go to Las Vegas. Tis a silly place.
Re: Re:
Fear of any trojan rabbit? Or of a large wooden badger?
Re:
Ah, but does it weigh the same as a duck!?!
FCC - Las Vegas
Yes, most communications are between Nevada residents, but there are many cases where communication happens out of state or internationally. When was Nevada appointed by congress to regulate interstate communication and commerce?
Re:
When the AG stepped onto the performance lawsuit stage seeking support for his next political ambition on the platform of protecting children from evil corporations and child molesters and windmills.
'What do you mean MY data will be unencrypted too!? I'm supposed to be more equal!'
Seems to me that the various sites could kill this attempt to put the public in danger by making a pointed public note that politicians and law enforcement use encryption as well, and if the public doesn’t get encryption then neither will they.
Re:
Open Source Encryption will ensure some options remain.
I’m sure they will make using them criminal and I guess I have some court dates coming up. Not because I’m a criminal, but because I will continue to use encryption without a back door, because that’s not encryption.
I wonder which VPN is the hidden sponsor? Utah’s age verification idiocy has been a boon to VPN vendors!
Will I still be allowed to use ROT13?
Will children be rounded up for talking in Pig Latin?
Searching for my decoder ring, I know I left it in here somewhere.
Re:
All currently available evidence suggests police will be completely unable to cope with ROT13 text. And you know how police respond to situations they are not (mentally) equipped to cope with.
That sounds like a lot of work. And work, as we all know, is a fatal allergen to some percentage of the police force. So a child round up likely won’t happen. But I’m sure they aren’t lacking for horrifying alternatives.
The AGs: Meta, you need to protect the children! Give them more privacy!
Also the AGs: Not using end-to-end encryption! We didn’t mean that kind of privacy!
My nose is quivering like a bitch in heat – it sure sounds like Nevada and company are already playing the man-in-the-middle game with lots of communications passing through, around, or even just near, their State borders. As previously pointed out, there’s no rational reason to demand an immediate restraining order be applied to something that’s been in use for what, like 30 years, perhaps longer? I dunno. But to me, it sure looks like their plug is about to be pulled, and they’re desperate to keep it in place. Inquiring minds want to know what’s up with that.
And if Nevada wins a final judgment, what then? Could SSL be far behind? Ditto for TLS? IOW, anywhere you see letter ‘S’ in a TLA regarding a security context, you’re seeing encryption at work. If any one card is removed from that house, the rest of it falls over as well, and we’re right back in the days of 2600…. a war on privacy that neither side will ever win.
tl;dr:
Something stinks here, and it ain’t me!
If the service is hosted outside the United States, Nevada law does not apply