Congress will have some tough choices to make as they face an unprecedented crisis. With the coronavirus sparing no one and several members of Congress testing positive, school’s “out for summer” as our legislative branch packs in the desktops, mice and coffee mugs and heads to a work-from-home zone like the rest of us. And what will they turn to keep their communications private and secure? Could it be the very encryption that they vilified on March 11 in a Senate Judiciary Committee hearing for the EARN IT Act?
This legislation is the latest in a long line of battering-ram attempts to breach the sanctum of encrypted technology and insert easily accessible backdoors into our devices, services and platforms. Think WhatsApp, Signal, Telegram. Think your iPhone. Think enterprise software. Think Huawei (too late?). Opponents call it semi-legalized government snooping, those in favor call it free season on criminals (as if they’ll just do their business out in the open). And that’s what will be up to Congress to decide. Um, as they potentially use those unlegislated, fully encrypted end-to-end platforms. Think WhatsApp, Signal, Telegram.
Senator Lindsey Graham (R-S.C.), proponent of the EARN IT Act of 2020
It seems we have a predicament here. This season, members of Congress, along with the rest of the world, will be struggling with the challenges of working at home securely. They might likely be working and communicating via encrypted chat platforms and videoconferencing software (we hope). And ironically, they might also be voting against them.\
The EARN IT Act of 2020, put forth by Judiciary Committee Chairman Lindsey Graham (R-S.C.) and Senators Diane Feinstein (D-Calif) and Richard Blumenthal (D-Conn.) states that private end-to-end encrypted messaging platforms would have to either provide encryption backdoors to law enforcement or take full blame for any foul play caught within their encrypted confines.
Which begs the question. “If you can catch the foul play within their encrypted confines, why do you need backdoors?”
While the move raises eyebrows (the Electronic Frontier Foundation goes so far as to say it violates the Constitution), it’s touted as a bill to prevent online child exploitation. Ten or twenty years ago it was terrorism. Ten or twenty days ago it was the coronavirus. Attempts at government surveillance haven’t passed fully yet.
But unfortunately the peril doesn't stop there. Everything connected to the internet will be affected by encryption backdoors, from your home security system to self-driving cars, nuclear reactors and the grid. Venafi CEO Jeff Hudson explains more.
Congress will have a lot to grapple with, personal interest included, as they publicly risk voting for a measure they themselves would struggle to keep. What are the options? Vote “lesser encryption for the rest of you” while they silver-spoon it on some specially encrypted government platform? How’s that, constituents? Or, “we’ll eat our own dog food” and publicly acknowledge that they made it less safe –as they vote on measures crucial to the security of the American people in a time of global pandemic.
The answer may seem befuddlingly clear, but we’ve been surprised in times of crisis before.
Child exploitation is without exception a serious, unmitigated crime, and a nauseating one at that. But with the entire globe facing an onslaught of cyber challenges around the new bio-threat, vaccines that have yet to be discovered and everyone from defense contractors to Congress working from home, it may paradoxically not even be the biggest one. However, the consequences of the EARN IT Act could be the most long lasting. A remote-Congress may have to deal firsthand with the task and responsibility of communicating in a vacuum, completely secure to the outside world, in order to pass legislation that would maintain the integrity of the Congressional vote. Without end-to-end encryption, that would not be possible.
With backdoors provided via the EARN IT Act, that may not be possible either.
- Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors
- Why are Government Officials Who Know Next to Nothing About Encryption So Eager to Mandate Encryption Backdoors?
“According to the DuckDuckGo research, 58.2% of people didn’t realize that many notes apps don't encrypt notes by default, which implies that they're not seeking out these manual options.” This is bad, but what’s worse is what it implies.
Perhaps not surprisingly, many notepad and similar thought-jotting apps don’t come fully encrypted. It’s still an optional, “special feature.” That doesn’t stop a lot of us from slipping credit card information, passwords and login credentials into the unencrypted pages, according to the research.
Don’t worry, there’s a few things that you can do.
- Adjust those settings:
- Microsoft OneNote allows for AES-128 encryption. It’s not available out of the box, but you can enable it.
- Evernote lets you encrypt a note—on the desktop version.
- Encrypt beforehand:
- Use Adobe Acrobat to encrypt your PDFs. Then save them to your notes.
- Veracrypt and Bitlocker (Windows) also provide third-party encryption.
- Use a password manager:
- LastPass—Comes completely encrypted out of the box, a full-service secure password manager for the masses. Now let’s just hope that doesn’t get hacked.
- Standard Notes is a local tool that employs AES-256 by default.
Okay, so most people don’t take care of their data, but what’s the point?
What the research reveals is far more than poor data hygiene practices. It red flags a pervasive, underlying problem that may explain why the EARN IT act doesn’t get front page (and, it should). In the coming decade, privacy rights and encryption may be the Civil Rights battle ground of the 2020s. If they’re not already, it's only for lack of knowing, as the data points to above. A lot of intelligent people I know still don’t have a useable grasp of what encryption “does” or how it “works” or why it’s indispensable.
Let’s face it, the tech boom, Fourth Industrial Revolution and all related techno-wonders caught us charmed and unaware. You’ll let me do more in less time? Sure. You’ll store my stuff in less space? Of course. You’ll host my unimpeded communication over your unencrypted platform? Why not. And, just like bundled mortgages, IMF loans or Social Security, we’ll pay for it later.
Now is later. Our constitutional and civil rights are wrapped up in where we express them, and for the past two and a half decades, that’s been online. Encryption matters because it protects what you do, and what you say, and how you say it, and who you are, online. It protects you.
And that’s worth encrypting.