With Tonya Riley.
Tech companies and cybersecurity advocates are now in an open war with Congress as they face the most serious legislative threat to strong encryption protections in more than a decade.
Hours after leaders of the Senate Judiciary Committee introduced the EARN IT Act — which threatens to weaken encryption in order to better curb online child sexual exploitation — industry leaders and cybersecurity advocates savaged the bill.
They called it dangerous and unconstitutional, and a sneaky way to force companies to abandon strong encryption.
“Strong encryption is a bedrock for national security, our digital economy and individual safety — including children ... EARN IT erodes that,” the Consumer Technology Association, which includes Facebook and Microsoft among its members, said on Twitter.
The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act is something like a shot heard ’round the world in the encryption battle that has been bubbling since the 1990s. It ramped up dramatically in 2014 as superstrong encrypted communication systems became far more common. But this is the first time in recent years that a bill has been introduced that will force lawmakers to openly take sides in the dispute.
The bill — which is sponsored by Judiciary Committee Chairman Lindsey Graham (R-S.C.) and ranking Democrat Dianne Feinstein (Calif.) plus eight other sponsors and co-sponsors — doesn't actually target encryption directly.
It would strip tech companies of their liability protection for what users post on their platforms, including child pornography. It creates a new task force to determine how companies can earn back their prized legal shields, filled with people from government agencies, law enforcement, industry and organizations for survivors and victims of abuse.
Yet encryption advocates fear that the commission's eventual requirements to fight child pornography might effectively force companies to give law enforcement special access to encrypted communications in order to track what users are sharing. They're calling it a “backdoor to a backdoor” that would compromise the cybersecurity of everyone who uses the technology.
“The EARN IT Act would fail to meaningfully tackle exploitative content beyond current tools and laws and contains fatal flaws that would undermine cybersecurity, privacy and free speech,” said Jason Oxman, president of the Information Technology Industry Council trade association, which includes Apple, Google and Twitter among its members.
Sen. Ron Wyden (D-Ore.), a longtime encryption advocate, called the bill “a Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans’ lives.”
Read my full statement on the disastrous EARN IT Act, which will give Bill Barr and Donald Trump more control over the internet: pic.twitter.com/LF9WF2F5dV— Ron Wyden (@RonWyden) March 5, 2020
“The EARN IT Act creates a false choice between protecting children and supporting strong encryption protections,” Carl Szabo, general counsel at the tech advocacy group NetChoice, said.
Even the American Civil Liberties Union and the conservative advocacy group Americans for Prosperity — not normally bedfellows — released a joint statement opposing the bill.
“The EARN It Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day,” ACLU Senior Legislative Counsel Kate Ruane said.
AFP Senior Policy Analyst Billy Easley slammed the bill for not providing guarantees that encryption backdoors “won’t be exploited by bad actors to gain access to our most personal information.”
The digital advocacy group Fight For the Future released an online petition condemning the bill, which had collected more than 12,000 signatures this morning.
The bill did, however, have support from several organizations for victims and survivors of sexual abuse, including the National Center for Missing and Exploited Children, Rights4Girls, and the National Center on Sexual Exploitation, its sponsors said.
It’s far from clear that the EARN IT Act will pass the Senate or become law. But the fact it was even introduced marks a big change from just a few years ago when the Justice Department appeared on its back heels in the encryption fight.
Indeed, in 2016 Feinstein and Sen. Richard Burr (R-N.C.), then the Democratic and Republican leaders of the Senate Intelligence Committee, abandoned a far weaker draft encryption bill before even formally introducing it. The move came after the FBI stepped back from a legal standoff with Apple in which it tried to force the company to help it crack into an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook.
Then in 2018 the bureau was rocked by internal watchdog reports that found it had rushed to litigation against Apple without exploring other ways to crack into Farook’s phone and repeatedly overstated how many cases were foiled by encryption.
The tide shifted, though, when Attorney General William Barr began warning last year that child predators were commonly using encrypted communications systems to share explicit images and groom children — a pivot from earlier anti-encryption efforts, which had focused more on their use by terrorists. The warning came as Facebook was preparing to expand encryption across its messaging services, which Barr said would produce a surge in crimes going undetected.
The United Kingdom and Australia also introduced their own measures weakening encryption protections, giving added juice to the U.S. effort.
During a separate event yesterday, Barr and leaders from those nations plus Canada and New Zealand introduced 11 voluntary principles negotiated with tech firms including Facebook to combat online child exploitation. They include that companies will put enhanced safety measures in place for young users and help victims report crimes.
During that event, Barr warned that “predators’ supposed privacy interest should not outweigh our children’s privacy and security.”
“No child should ever have to endure the unspeakable pain and suffering of sexual exploitation and abuse,” he said. “Sadly, however, technological change over the past few decades have amplified the scope and harm caused by these crimes.”
PINGED, PATCHED, PWNED
PINGED: The CIA’s secret acquisition of Swiss firm Crypto AG, recently revealed by my colleague Greg Miller, was the “intelligence coup of the century.” But a historical rivalry between the CIA and the National Security Agency, the United States' two largest intelligence powerhouses, almost derailed use of the prized spying tool, Greg reports.
The NSA “opted out” of negotiations to acquire the cryptography firm in the late 1950s, according to a classified history obtained by The Post, and it took more than a dozen years for the CIA to get the deal back on track. The conflict was the first of many between the two agencies over the intelligence operation, which would allow them to spy on over 100 countries.
“NSA’s last-minute balk is depicted as a typically misguided move by a code-breaking agency known for risk aversion, raising petty objections and ‘dithering,’ ” Greg reports. The CIA often acted with less concern for rules, clashing with the more timid NSA, the documents show. The spy agencies also disagreed over issues of tradecraft.
“Between the CIA and the NSA there were always disputes about which of these services had the say,” a senior German intelligence official said in that agency’s history of the operation. “CIA saw itself as the one in charge.”
The tables turned decades later when NSA officials mobilized to convince then-CIA Director Stansfield Turner to not scrap the program, pointing out how critical it had become to their ability to monitor the communications of dozens of foreign governments.
PINGED: A new bill in the California legislature would guard against the technical errors and long wait times Los Angeles County voters experienced on Super Tuesday. The plan, introduced by California state Sen. Ben Allen (D-Santa Monica), would require L.A. County to increase the number of voting centers during Election Day or provide all voters with vote-by-mail ballots before the November 2020 general election.
“I was dismayed to hear of the delays and lines that significantly impacted the voter experience for many Angelenos,” Allen said.
California Common Cause, an election watchdog group, also called on the county to guarantee voters access to mail-in ballots in November, citing technical concerns and the possibility that coronavirus will suppress voter turnout.
Here are some big-picture takeaways about election tech failures across the country on Super Tuesday from Edward Perez, a former executive at the voting machine company Hart InterCivic:
3/ Lesson #2: Because tech is fragile & not always reliable, election officials *must* have a “Plan B.”— Eddie Perez (@eddieperezTX) March 5, 2020
In other words, “If our tech goes down, how will we support uninterrupted voting, as much as possible? What will we do when ‘situation normal’ no longer applies?”
PWNED: A top State Department official warned members of Congress that Russia is behind “swarms of online, false personas,” spreading misinformation about coronavirus, my colleague Tony Romm reports. The “entire ecosystem of Russian disinformation is at play,” Lea Gabrielle, the coordinator of the State Department’s Global Engagement Center, said during a hearing examining the department's growing role in combating online propaganda from abroad.
An unpublished report from the State Department revealed nearly 2 million tweets pushing coronavirus-related conspiracy theories.
“Gabrielle did not link that report with her broader conclusions about Russian interference” during the hearing, Tony writes. “But she said actors tied to the country — through 'state proxy websites,' official state-owned media and fake accounts online — were part of an effort to 'take advantage of a health crisis, where people are terrified worldwide, to try to advance their priorities.' "
The U.S. government has offered no public evidence backing up its claims about coronavirus disinformation, sparking criticism from tech companies implicated in the allegations and confusion among some lawmakers. Sen. Cory Booker (N.J.), the top Democrat on the subcommittee that convened the hearing, called on the State Department to share more about its findings with the public.
Twitter also said earlier this week it is “not seeing significant coordinated platform manipulation efforts around these issues,” and questioned the State Department's research methodology.
— The White House halted reporting requirements for about 2,000 data centers that hold government information, limiting what investigators know about their protections against cyberattacks, according to a new report. Now, the Government Accountability Office is urging the White House to resume auditing the centers for cybersecurity risks.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The Cyberspace Solarium Commission will release of its final report and recommendations during a public event on Wednesday at 2:30 p.m.
- The Senate Committee Judiciary will hold a hearing Wednesday on “The EARN IT Act: Holding the Tech Industry Accountable in the Fight Against Online Child Sexual Exploitation” on Wednesday at 10:00 a.m.