Florida’s New Social Media Bill Says The Quiet Part Out Loud And Demands An Encryption Backdoor
from the seems-bad dept
At least Florida’s SB 868/HB 743, “Social Media Use By Minors” bill isn’t beating around the bush when it states that it would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.” Usually these sorts of sweeping mandates are hidden behind smoke and mirrors, but this time it’s out in the open: Florida wants a backdoor into any end-to-end encrypted social media platforms that allow accounts for minors. This would likely lead to companies not offering end-to-end encryption to minors at all, making them less safe online.
Encryption is the best tool we have to protect our communication online. It’s just as important for young people as it is for everyone else, and the idea that Florida can “protect” minors by making them less safe is dangerous and dumb.
The bill is not only privacy-invasive, it’s also asking for the impossible. As breaches like Salt Typhoon demonstrate, you cannot provide a backdoor for just the “good guys,” and you certainly cannot do so for just a subset of users under a specific age. After all, minors are likely speaking to their parents and other family members and friends, and they deserve the same sorts of privacy for those conversations as anyone else. Whether social media companies provide “a mechanism to decrypt end-to-end encryption” or choose not to provide end-to-end encryption to minors at all, there’s no way that doesn’t harm the privacy of everyone.
If this all sounds familiar, that’s because we saw a similar attempt from an Attorney General in Nevada last year. Then, like now, the reasoning is that law enforcement needs access to these messages during criminal investigations. But this doesn’t hold true in practice.
In our amicus brief in Nevada, we point out that there are solid arguments that “content oblivious” investigation methods—like user reporting— are “considered more useful than monitoring the contents of users’ communications when it comes to detecting nearly every kind of online abuse.” That remains just as true in Florida today.
Law enforcement can and does already conduct plenty of investigations involving encrypted messages, and even with end-to-end encryption, law enforcement can potentially access the contents of most messages on the sender or receiver’s devices, particularly when they have access to the physical device. The bill also includes measures prohibiting minors from accessing any sort of ephemeral messaging features, like view once options or disappearing messages. But even with those features, users can still report messages or save them. Targeting specific features does nothing to protect the security of minors, but it would potentially harm the privacy of everyone.
SB 868/HB 743 radically expands the scope of Florida’s social media law HB 3, which passed last year and itself has not yet been fully implemented as it currently faces lawsuits challenging its constitutionality. The state was immediately sued after the law’s passage, with challengers arguing the law is an unconstitutional restriction of protected free speech. That lawsuit is ongoing—and it should be a warning sign. Florida should stop coming up with bad ideas that can’t be implemented.
Weakening encryption to the point of being useless is not an option. Minors, as well as those around them, deserve the right to speak privately without law enforcement listening in. Florida lawmakers must reject this bill. Instead of playing politics with kids’ privacy, they should focus on real, workable protections—like improving consumer privacy laws to protect young people and adults alike, and improving digital literacy in schools.
Reposted from the EFF’s Deeplinks blog.
Filed Under: encryption, florida, hb 743, privacy, sb 868, security, social media, social media use by minors
Comments on “Florida’s New Social Media Bill Says The Quiet Part Out Loud And Demands An Encryption Backdoor”
It would lead to effectively banning end-to-end encryption. There is no such thing as a mathematical backdoor not available to everyone.
All it takes is one minor successfully signing up against all checks that they are not a minor to trigger such a law. Even if there was an exception for minors that lie, the resulting exception would be an affirmative defense, only usable after the incident and make the use difficult and expensive.
Re:
I say they should go with malicious compliance. Run a separate service on local Florida servers just for Florida residents with a warning that the Florida law requires a lack of effective encryption so users are accepting that their data isn’t safe on the service and indemnifying the service and then list the telephone numbers, email addresses, and office addresses of all the legislators who voted in favor of it.
Re: Re:
I love this idea.
Welcome to Florida Nation Bank.
[ ] “You agree that your data is no longer private and this site is not responsible for lost account funds or compromised accounts, per Florida law.”
There are going to be two types of apps developed in the future, apps for the free states, and apps for the rest.
Re:
There’ll only be apps for “the rest”, as the free states would be too few in number.
Sorry to say but the vices are clamping in on the web at this point, on both freedom and privacy.
'No see the camera login screen has 'Good Guys Only' on the front page!'
Demanding ‘warrant friendly’ encryption is like insisting that every bedroom have a camera installed in it, with nothing more than a pinky-promise that it will only ever be turned on and used by the Good Guys(tm).
This will just drive sites to start blocking sites in the usa, especially when 230 is repealed.
Bypassing that with VPN or proxy does break any law
And neither does bypassing firewalls to access blocked websites
I have stayed on hotels that jam cellphones so they can charge their exorbitant rates for using a house phone
Since my cell carrier supports wifi calling I can use the hotel wifi to make a cell phone call
Using a VPN to bypass their firewall to connect to their internet calling does not break any laws and doing that avoided the 7.95 a call even to call an 800 number
Bypassing their firewall to avoid that charge did not break any computer hacking laws either in California or at the federal level
Sites in either an independent California. Cascadia(Oregon, Washington) or Pacifica(California, Oregon,Washington) would not be subject to that law or any laws of the remaining united statea
Re:
Yeah, yeah.
You know most of the drivers behind those are also RWNJ.
If we’re talking about Florida, I’m not sure there are “good guys”.
That’s a bit misleading, since multiple methods can complement each other. They’re not interchangeable. And as your brief notes, methods efficacy varies a lot, particularly for CSE/CSAI ( there are only three categories in which more providers said ACS was more useful for detecting abuse than metadata or user reports: CSAI (by far) and, by a smaller margin, phishing/malware and CSE). A minor being abused is the type of thing that is much less likely to be user reported (or saved) to begin with (and CSAI not at all).
“plenty” and “most” doing a lot of work, there.
Ephemeral messaging has a very clear effect on the ability to collect evidence, especially if that involves breaking into a device.
It’s not worth breaking encryption, but we need to be honest about the trade offs that incurs, instead of soft pedaling it.
Before the backdoor is distributed to official law enforcment bodies...
…it will already be in the hands of:
Amateur hackers, script kiddies;
Industrial spiesMalicious foreign interests
Political enemiesanyone who has secrets worth peering at by law enforcement will resort to secure systems, and if those are made illegal, they’re resort to stenographic secure systems that look like insecure systems, and nowadays we have AI eager to write our junk text.
That is to say, law enforcement will be foiled or at least delayed (for decades) by the same technology used in the pizza connection
Re: Forgive the markup errors
TIL markdown on Techdirt now supports the double-tilde strikeout convention.