With Tonya Riley
A bipartisan bill aimed at curbing online child exploitation become ground zero yesterday in the battle over encryption, with each side accusing the other of acting in bad faith.
The dispute prompted by a Senate Judiciary Committee hearing demonstrates the vast gulf between advocates of super-strong encryption, who say it’s vital for cybersecurity, and law enforcement hawks who fear encrypted communications could give free rein to child predators and other criminals.
The bill at issue, the EARN IT Act, would strip tech companies of liability protections when their users share child pornography and other materials that exploit children. It would also establish a 19-member commission to create rules companies can follow to earn back that liability shield.
Tech companies and cybersecurity experts fear that commission will require companies to give law enforcement special access to encrypted communications with a warrant. And they’re accusing lawmakers of using public revulsion at child exploitation to weaken protections that make the Internet safer for everyone.
Lawmakers, meanwhile, are accusing tech companies of using encryption as an excuse to avoid taking responsibility for criminal activity on their platforms.
“I think encryption is a red herring. It's a subterfuge,” Sen. Richard Blumenthal (D-Conn.), one of the bill’s lead sponsors, told me. “If we said we're going to prohibit any ban on [strong] encryption….they would have some other reason to oppose it.”
Tech companies’ real goal, Blumenthal charged, is not losing any portion of their liability shield — guaranteed by Section 230 of the Communications Decency Act — protecting them from being sued for anything users post on their sites. He characterized those protections as a relic of an earlier era when Internet companies needed special protections to innovate and thrive.
“The tech companies are so self-interested and self-absorbed that they're focusing on how their legal shield may be pierced rather than how they shield children from abuse and exploitation,” he said.
Any recommendations from the commission — including any effort to weaken encryption — would require support from 14 of its 19 members, which will include Cabinet secretaries, technologists, law enforcement and sexual exploitation victims and their advocates. Those recommendations would also have to be approved in Congress.
Here’s more from Blumenthal on Twitter:
Action is urgently needed. I don’t want to look back 15 years from now & say, “We could have saved lives that in the meantime have been damaged or destroyed.” The time is now to pass the EARN IT Act. pic.twitter.com/RYylQlFZif— Richard Blumenthal (@SenBlumenthal) March 11, 2020
Cybersecurity experts, however, shot back that lawmakers were being disingenuous by not acknowledging the commission probably will target super-strong encryption, often called end-to-end encryption, which shields the contents of communications even from the platform people are communicating on.
They acknowledge end-to-end encryption makes it tougher for both companies and law enforcement to monitor possible child exploitation. But they argue weakening it would be far too damaging because any encryption back door designed for police could also be targeted by hackers.
“Basically, I see this as a cowardly measure to maintain plausible deniability that this is not about encryption,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told me.
“The message from Congress is ‘protect users, not too much, mostly kids,' ” she said, paraphrasing a diet credo by author Michael Pollan.
Will Cathcart, who leads Facebook’s end-to-end encrypted WhatsApp messaging service, argued on Twitter that the EARN IT Act “has the potential to make people less safe, not more, by reducing the security of … over 2 billion people.”
Absent clear protections for encryption, EARN IT has the potential to make people less safe, not more, by reducing the security of the over 2 billion people who use WhatsApp to communicate, not to mention all the other encrypted services as well. 2/— Will Cathcart (@wcathcart) March 11, 2020
The online dating company Match Group, which owns Tinder, OkCupid and Match.com, testified in favor of the bill. The majority of tech companies oppose the bill, however. The Internet Association trade group, which represents many of the largest tech companies including Amazon, Facebook, Google and Microsoft, testified against it.
Even among lawmakers there was a split about how directly the bill might target encryption protections.
During the hearing, Blumenthal said repeatedly that the EARN IT Act is “not an encryption bill.” He also noted that some platforms have made substantial progress combating material that exploits children despite using end-to-end encryption.
WhatsApp, for example, says it removes about 250,000 accounts each month that it suspects are sharing explicit photos of children based on digital signatures from known photos – even though it can't see the photos themselves.
Blumenthal is not willing, however, to include a measure in the bill that says encryption is off-limits in the proposed commission's recommendations, he told me.
“I doubt I am the best qualified person to decide what best practices should be," he said. “Better-qualified people to make these decisions will be represented on the commission. So, to ban or require one best practice or another [beforehand] I just think leads us down a very perilous road.”
Senate Judiciary Chairman Lindsey Graham (R-S.C.), however, criticized Facebook for planning to expand end-to-end encryption across its messaging services, warning the company will “go blind.”
“The bill is not about the encryption debate, but, the best business practices [the commission will recommend], I’m dying to find out what they should be," he said.
After the hearing he told reporters: “I’m very concerned about the idea of going blind. I’ve been told you can have encryption and still have reporting systems [and] I’m worried about terrorism. I’m worried about all that.”
PINGED, PATCHED, PWNED
PINGED: Sen. Mark R. Warner (D-Va.) is calling on the White House and a task force led by Vice President Pence to increase efforts to combat online misinformation about the coronavirus amid a slew of reports about phony cures and conspiracy theories.
Warner is urging the coronavirus task force to develop a comprehensive strategy to counter misinformation, including campaigns by Russia and other foreign actors. Cybersecurity companies have also identified numerous hacking scams tied to phony information about the virus aimed at stealing people’s personal information.
Warner also slammed President Trump for “injudicious and false statements” about the virus that contradict the advice of his administration's own health experts and could “legitimize already widespread online misinformation.”
Pence's office did not respond to a request for comment.
The White House, meanwhile, is asking large tech companies to help it combat misinformation about the coronavirus and to track its spread, my colleague Tony Romm reports.
The European Union is also reviving an alliance with U.S. tech firms to rapidly alert about misinformation in light of the virus, the Wall Street Journal’s Valentina Pop reports.
PATCHED: A bill that would give the Department of Homeland Security subpoena power to force Internet companies to share the names of organizations that are vulnerable to hacking is one step closer to law after it was passed yesterday by the Senate Homeland Security Committee.
Top DHS cybersecurity official Chris Krebs praised the victory on Twitter, calling the legislation “critical” to the agency's mission.
Thank you @SenRonJohson @SenGaryPeters @SenatorHassan for your work to pass the #Cybersecurity Vulnerability Identification and Notification Act out of committee. This legislation is critical to the @CISAgov mission. https://t.co/sJlmJkF9mO— Chris Krebs (@CISAKrebs) March 11, 2020
The bill, which was passed by the House Homeland Security Committee in January, could still face some roadblocks before becoming law. Some cybersecurity experts have criticized it for potentially giving DHS the power to snoop on companies and bully them into adopting digital protections.
PWNED: A bill that would mandate a top-to-bottom security review of the United States’s next-generation 5G wireless networks cybersecurity is on its way to the president’s desk after unanimous passage in the House. The bill passed the Senate last week.
The Secure 5G and Beyond Act of 2020 comes amid widespread concern about Chinese spying on 5G networks and after the Trump administration already banned the Chinese telecom Huawei from building U.S. networks. It calls on the Trump administration to come up with a comprehensive security plan to protect U.S. mobile technology companies from Chinese espionage within 180 days as well as a list of “trusted suppliers” for 5G equipment.
“It is long past time that the Trump Administration prepare our networks for the 5G future — this bill will force the Administration to do exactly that and ensure federal agencies work together on a comprehensive plan to secure 5G,” Energy and Commerce Committee Chairman Rep. Frank Pallone Jr. (D-N.J.) and communications and technology subcommittee Chairman Mike Doyle (D-Pa.) said in a statement.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: