History just keeps on repeating itself. Yet again, there’s a law that’s being considered by the American government that threatens the use of encryption. And anything that threatens encryption threatens everyone’s cybersecurity.
What is the EARN IT Act?
The Eliminating Abusive and Rampant Neglect of Interactive Technologies, otherwise known as the EARN IT Act, has the support of US Senators Lindsey Graham (R-SC), Josh Hawley (R-MO), Dianne Feinstein (D-CA), and Richard Blumenthal (D-CT).
The EARN IT Act is supposed to help law enforcement crack down on those who exploit children online. I’m completely in favor of doing one’s absolute best to stop those who engage in child exploitation. But there’s got to be better ways of doing that than weakening cryptography for absolutely everyone.
Okay, so here’s some of what the Committee on the Judiciary says about the EARN IT Act:
“The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act) would create incentives for companies to ‘earn’ liability protection for violations of laws related to online child sexual abuse material (CSAM).
The legislation is also cosponsored by U.S. Senators Kevin Cramer (R-North Dakota), Doug Jones (D-Alabama), Joni Ernst (R-Iowa), Bob Casey (D-Pennsylvania), Sheldon Whitehouse (D-Rhode Island), and Dick Durbin (D-Illinois).
The bill amends Section 230 of the Communications Decency Act to allow companies to ‘earn’ their liability protection for violations of laws related to child sexual abuse material...
"The bill amends Section 230..."
Before companies can certify compliance, there is a period of Congressional review for the Commission-developed best practices...
Companies can choose to certify compliance with best practices in order to maintain immunity from child sexual abuse material statutes. If companies do not want to certify compliance with best practices, they can maintain immunity by establishing that they have other reasonable practices in place to prevent child sexual exploitation.”
Section 230 of the Communications Decency Act was passed in 1996, and it relieves online platforms and internet providers such as Facebook or your ISP of some of the responsibility if someone uses those technologies to violate the Communications Decency Act, such as to exchange child exploitation material. Despite Section 230, companies like Facebook and Google still usually do their best to assist law enforcement if one of their users is accused of doing something that’s illegal. There are definitely ways to investigate online child exploitation right now, and the perpetrators often do get caught, even if they use the Dark Web to do so.
How EARN IT Affects Our Encryption
Anyway, even though the Committee on the Judiciary didn’t directly mention encryption, the EARN IT Act would definitely affect its use and implementation. Riana Pfefferkorn is the associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society. She wrote:
“The bill would, in effect, allow unaccountable commissioners to set best practices making it illegal for online service providers (for chat, email, cloud storage, etc.) to provide end-to-end encryption -- something it is currently 100% legal for them to do under existing federal law, specifically CALEA. That is, the bill would make providers liable under one law for exercising their legal rights under a different law. Why isn’t this conflict with CALEA acknowledged anywhere in the bill?
The CSAM (child exploitation material) traders who do stay on the good-faith platforms (say, Facebook) will still be able to encrypt CSAM before sending it through, say, Facebook Messenger, even if Facebook Messenger itself were to no longer have any end-to-end encryption functionality. Even if the EARN IT Act bans providers from offering end-to-end encryption, that won’t keep CSAM offenders from cloaking their activities with encryption. It will just move the place where the encryption happens to a different point in the process. File encryption technology is out there, and it’s been used by CSAM offenders for decades; the EARN IT Act bill can’t change that.”
My concern is that, as Bruce Schneier always says, any encryption backdoor weakens cryptography everywhere. As he wrote in 2016 when the FBI wanted Apple’s help to decrypt a crime suspect’s iPhone:
“The FBI wants the ability to bypass encryption in the course of criminal investigations. This is known as a ‘backdoor,’ because it's a way at the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to such claims, but as a technologist I can tell you that there is no way to give the FBI that capability without weakening the encryption against all adversaries. This is crucial to understand. I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way.
If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are how everyone attacks computer systems.
This means that if the FBI can eavesdrop on your conversations or get into your computers without your consent, so can cybercriminals. So can the Chinese. So can terrorists. You might not care if the Chinese government is inside your computer, but lots of dissidents do. As do the many Americans who use computers to administer our critical infrastructure. Backdoors weaken us against all sorts of threats.”
EARN IT: A Hidden Agenda?
In my opinion, the EARN IT Act may be taking advantage of our disgust of the heinousness of child exploitation as a Trojan to make sure that the American government can access anyone’s data without resistance. US Attorney General William Barr has repeatedly tried to arose fear and pass laws that would threaten our privacy and security as citizens with increasingly digital lives. During a speech he gave in July 2019, Barr said:
“Service providers, device manufacturers and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances. As a result, law enforcement agencies are increasingly prevented from accessing communications in transit or data stored on cell phones or computers, even with a warrant based on probable cause to believe that criminal activity is underway. Because, in the digital age, the bulk of evidence is becoming digital, this form of ‘warrant proof’ encryption poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes. It allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy...
The Department has made clear what we are seeking. We believe that when technology providers deploy encryption in their products, services, and platforms they need to maintain an appropriate mechanism for lawful access. This means a way for government entities, when they have appropriate legal authority, to access data securely, promptly, and in an intelligible format, whether it is stored on a device or in transmission. We do not seek to prescribe any particular solution. Our private-sector technology providers have immensely talented engineers who have built the very products and services that we are talking about. They are in the best position to determine what methods of lawful access work best for their technology.”
Backdoor for One Means Backdoor for All
Actually, any “immensely talented engineer” working in the private sector would say that any encryption backdoor weakens all encryption. And something being “lawful” doesn’t necessarily make something virtuous or beneficial. It was once “lawful” in the United States to prevent someone from marrying someone of a different race. And there have been many, many other laws throughout the years that are now considered to be cruel and socially backwards. What’s lawful is only what those who write the laws think is good at the time.
And weakening encryption introduces many dangers into our everyday lives, such as exposing the victims of domestic assault, making our sensitive financial data available to cyber attackers, or giving a cyber attacker access to an Internet-of-Things medical device that could possibly kill someone. It’s important that we in the cybersecurity community oppose the EARN IT Act as much as we possibly can.
- Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental
- 86% of IT Security Professionals Say the World Is in a Cyber War
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors
- Why are Government Officials Who Know Next to Nothing About Encryption So Eager to Mandate Encryption Backdoors?