Senators Pretend That EARN IT Act Wouldn't Be Used To Undermine Encryption; They're Wrong

from the plausible-deniability dept

On Wednesday, the Senate held a hearing about the EARN IT Act, the bill that is designed to undermine the internet and encryption in one single move -- all in the name of "protecting the children" (something that it simply will not do). Pretty much the entire thing was infuriating, but I wanted to focus on one key aspect. Senators supporting the bill, including sponsor Richard Blumenthal -- who has been attacking the internet since well before he was in the Senate and was just the Attorney General of Connecticut -- kept trying to insist the bill had nothing to do with encryption and wouldn't be used to undermine encryption. In response to a letter from Facebook, Blumenthal kept insisting that the bill is not about encryption, and also insisting (incorrectly) that if the internet companies just nerded harder, they could keep encryption while still giving law enforcement access.

“This bill says nothing about encryption,” Sen. Richard Blumenthal..., said at a hearing Wednesday to discuss the legislation...

[....]

“Strong law enforcement is compatible with strong encryption,” Blumenthal said. “I believe it, Big Tech knows it and either is Facebook is lying — and I think they’re telling us the truth when they say that law enforcement is consistent with strong encryption — or Big Tech is using encryption as a subterfuge to oppose this bill.”

No, the only one engaged in lying or subterfuge here is Blumenthal (alternatively, he's so fucking ignorant that he should resign). "Strong" encryption is end-to-end encryption. Once you create a backdoor that lets law enforcement in, you've broken the encryption and it's no longer stronger. Even worse, it's very, very weak, and it puts everyone (even Senator Blumenthal and all his constituents) at risk. If you want to understand how this bill is very much about killing encryption, maybe listen to cryptographer Matthew Green explain it to you (he's not working for "Big Tech," Senator):

EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct “best practices” for scanning their systems for CSAM.

Since there are no “best practices” in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.

So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.

It’s the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.

Or listen to Stanford's Riana Pfefferkorn explain how the bill's real target is encryption. As she explains, the authors of the bill (including Blumenthal) had ample opportunity to put in language that would make it clear that it does not target encryption. They chose not to.

As for the "subterfuge" Blumenthal calls out, the only real "subterfuge" here is by Blumenthal and Graham in crafting this bill with the help of the DOJ. Remember, just the day before the DOJ flat out said that 230 should be conditioned on letting law enforcement into any encrypted communications. So if Blumenthal really means that this bill won't impact encryption he should write it into the fucking bill. Because as it's structured right now, in order to keep 230 protections, internet companies will have to follow a set of "best practices" put together by a panel headed by the Attorney General who has said multiple times that he doesn't believe real encryption should be allowed on these services.

So if Blumenthal wants us to believe that his bill won't undermine encryption, he should address it explicitly, rather than lying about it in a Senate hearing, while simultaneously claiming that Facebook (and every other company) can do the impossible in giving law enforcement backdoor access while keeping encrypted data secure.

Filed Under: earn it, earn it act, encryption, intermediary liability, richard blumenthal, section 230


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 12 Mar 2020 @ 11:05am

    It won't stop them

    There are likely multiple companies, overseas, who are keeping their fingers crossed and hoping and wishing that this bill passes. The profile of these companies are those that have encryption products in existence or in the pipeline, or will start designing their version as soon as the bill passes.

    As has been said many time here (and elsewhere) by many people, the bad guys will get their encryption from someone who isn't under the thumb of the US government. There is probably also a large cadre of people who you and I wouldn't classify as bad, but wish to keep their communications private. Journalists, diplomats, negotiators, strategists, and business executives come immediately to mind. The military has already said that this is a really big mistake.

    The next step will be for the government to claim these offshore products are munitions and therefore illegal. The fact that many of those 'not bad' users are also ones who fund political campaigns will become painfully clear to politicians when that happens.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2020 @ 1:34pm

      Re: It won't stop them

      There are likely multiple companies, overseas, who are keeping their fingers crossed and hoping and wishing that this bill passes.

      So... Google, Facebook, etc.? It would take nothing more than filing a sheet of paper to suddenly be non-US companies. The only reason they haven't already done it is US laws and taxes are far more favorable than those of most other nations. If either of those switches the other way around there is nothing to stop any of them from instantly reducing the US GDP.

      reply to this | link to this | view in chronology ]

  • icon
    fairuse (profile), 12 Mar 2020 @ 12:29pm

    Any encryption product without Gov'ment mark

    Yes if bill passed - Only Gov'ment approved encryption. Using Rebel tools to bypass snooping would be like ripping disks. Making and selling devices would be illegal.

    Munitions is eye catching.

    Software / Hardware to bypass and lockout Gov'ment mandated encryption is safety hazard and is criminal act of terrorism.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 12 Mar 2020 @ 11:51pm

      Re: Any encryption product without Gov'ment mark

      ...and then when the government approved encryption is made useless by their mandated back doors, nobody legally has encryption. Brilliant.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Mar 2020 @ 8:13am

        Re: Re: Any encryption product without Gov'ment mark

        Encryption is just math, right?

        So just stop teaching math, and there won't be any more encryption.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Mar 2020 @ 5:43pm

      Re: Any encryption product without Gov'ment mark

      I feel that, more likely, what will end up happening is chasing the remaining cleartext traffic to the onion web. Can't use client and server side """"""scanning""""""" if the thing they scan is complete garbage that they don't know where it came from.
      The idea that we've come all this way just to cripple the internet to keep the three letters out is far more terrifying.

      reply to this | link to this | view in chronology ]

  • identicon
    Bruce C., 12 Mar 2020 @ 12:41pm

    Reminds me...

    of the French government claiming that their copyright regime wouldn't mandate automated filters during the debate over there.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2020 @ 12:50pm

    How does this bill impact email services, where the user can use encryption that is outside the providers control, like PGP? Will they be expected to block use for ant email that the service cannot read>

    reply to this | link to this | view in chronology ]

    • icon
      Upstream (profile), 12 Mar 2020 @ 1:44pm

      Email services can read this just fine:

      -----BEGIN PGP MESSAGE----- hQIMA5xK+pw6n06EARAAjCDuPB5rIvp5BFPSCQk7Mo+rNULwmlHcnSJUxj1TT/kbwnDT9rN++gkQA+FkxVX8 J2DidhnG+lGqEw5xR1qfrxOX/Kf814j5c9H/IpTH/HBvz8a+Syy5QtGFzQX8/g0GzTbYTzVsTEEAxHBKYdGTb1VcRl6XfgiwFOxV +jaDalyPpvQNX6fYE7DjgG2skfGOAsu6+dfoZAq8XkvVg0qdgd7jktgbk346/t0A5Ux5wFc0e6/n9rT79aUnHS7cFM8HcRWj5QGN jPakf/Glihk9Cc7czmcT2Iw9dyfB3e1Lqi02DFeXSICH+RSSpINPspCQnioZom3yGc0x9Md+sDMxh1GRrxXTndLpAQfwmJM8lF+q RdvHY9KqhLBnvLWUcpEVF7VbOrZcsRF9HI+t+fbc8jYCA+MPjzf5vqc77N3lD0tInzKUYIsr0r18BFcpuP3LQjxWJsPMoIydUa1h ksmhSRJR8zgAo+abYvzkPUi69k1roFPGYF9I7Qo8LnAIs2RPe1KafRnglNg1ObTZXKXCgVwZ4wOyxQddkVHMvgWtYO+3myawAoPj zfepKpR3lezZfn0wS9seXSuF57htchNk2KbHPNwCaj zgsTQ1SN8oB8MKEBQ8emri8BUsyTq8vhs4pUpIdYp5GLGChFHhfiz8L7 0rBibAEYHC2sEzr4CILmKHEBvP0lewrIUUp5VEsIB0fLG17h2eRceQUiQl2MwDsDoec0lA5NT385wKWaf/GwqA== =C8pb --- --END PGP MESSAGE-----

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2020 @ 2:16pm

        Re: Email services can read this just fine:

        I was not asking can email services support encrypted messages at the technical level, but rather would they be allowed to continue to allow encrypted messages on their servers, or would they be held liable if they could not deliver a readable message at the drop of a warrant.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 12 Mar 2020 @ 2:31pm

          Re: Re: Email services can read this just fine:

          No and yes respectively, as you can be damn sure that 'able to provide access to all data upon request' would be one of the 'best practices' that would be tied to 230 protections.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Mar 2020 @ 5:44pm

        Re: Email services can read this just fine:

        No joke, I would start posting my public key with every message I make if this went into effect.

        reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 12 Mar 2020 @ 1:32pm

    It'd be a shame if Blumenthal's brakes failed while going down a really steep hill. Think of it as a backdoor into the pressure system that allows his car to stop.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 12 Mar 2020 @ 2:37pm

      Re:

      No, just no. The people indifferent about the security and well-being of the public is already too high a number, there is no call for that sort of comment to add to the number.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2020 @ 2:48pm

      Re:

      That hasn't been funny since Henry II and Thomas Becket. Or more contemporarily, any movie with a mobster. Don't be making meme-laden threats about a person's safety.

      If you must use "it would be a shame if", then try this one:

      It would be a shame if, having been warned the consequences of his bill beforehand, his own correspondence became public because of lack of encryption caused by the bill.

      "Hoist by your own petard", in other words.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 12 Mar 2020 @ 2:21pm

    How to spot a dishonest liar in one easy step...

    It’s the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.

    Not 'kind of', it is. He and those pushing the train wreck have failed to undermine encryption directly, so they've sunk to trying to slip it through in another manner, making clear for all to see how grossly dishonest and dangerous to the public they really are.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2020 @ 3:25pm

    Well the bill seems to not have garnered much support on Capitol Hill yet with congress being preoccupied with the coronavirus so its not likely to pass before the election but they may try to pass it during a lame duck session, how likely is the bill to pass?

    reply to this | link to this | view in chronology ]

  • identicon
    Rocky, 12 Mar 2020 @ 3:30pm

    Full circle...

    So it seems we have come full circle in regards of encryption.

    Once upon a time DES-56 was on the munitions list of things not to be exported from the USA, with EARN IT, it will (and other algorithms) be on the list of munitions forbidden to be imported.

    reply to this | link to this | view in chronology ]

  • icon
    tractorjunction (profile), 12 Mar 2020 @ 10:49pm

    Re

    This may not be the same bill as the one you are referring to, but it seems at least the House of Representatives is not in a constituent friendly mood.
    https://www.tractorjunction.com/tractor-features-and-specifications/110/

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2020 @ 12:14am

    Well implemented encryption can't really be stopped. However, the major weakness in cybersecurity has nothing to do with encryption within the US.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2020 @ 9:04am

    No one of authority gives a damn about kids and pornography and in this case, the whole aim is to undermine encryption, not protect anyone! The USA is fast becoming the same as a nation that was fought against 75 years ago. What the hell happened? How the hell did we get to this place? Once it's here, with just a very few giving orders that the rest have to follow or suffer the consequences, there'll be no coming back. The Land Of The Free is a long way off and a long time away!

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 13 Mar 2020 @ 2:05pm

      Re:

      No one of authority gives a damn about kids and pornography and in this case, the whole aim is to undermine encryption, not protect anyone!

      Oh that's certainly a big part of it, but it's not the entire goal, there's also forcing platforms to be 'neutral', which is to say give certain groups special treatment and stop 'oppressing' them by applying penalties for TOS violations/being repulsive individuals.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.