With Tonya Riley
Congress should abandon a new bill that could be used to roll back encryption as part of an effort to combat the spread of online child pornography, according to an overwhelming majority of cybersecurity experts surveyed by The Cybersecurity 202.
About 85 percent of our standing panel of experts called the bill, dubbed the EARN IT Act, a bad idea.
“The EARN IT Act would cause great harm to the open Internet and put everyday Americans at greater risk — creating problems rather than offering a solution,” said Heather West, head of policy for the Americas at the nonprofit Internet company Mozilla.
The Cybersecurity 202 Network, first launched in 2018, comprises more than 100 cybersecurity experts who participate in our ongoing informal surveys. The panel includes current and former officials from the U.S. government, private sector and the security research community. (You can see the full list here.)
The EARN IT Act would strip tech companies of their prized liability protections for what users share on their platforms, unless they follow rules designed by a new government task force — which experts fear would require companies to give law enforcement special access to encrypted communications.
Network experts warned that such a move would make hundreds of millions of people more vulnerable to hacking — and probably wouldn’t even accomplish its main goal of preventing online child exploitation.
“The EARN IT bill not only will fail at its objectives, but will also destroy the protection encryption provides to everyday citizens’ medical, financial and personal data,” said Steve Grobman, chief technology officer of the cybersecurity firm McAfee.
The bill's sponsors, Sens. Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.) frequently point out that it doesn’t include the word “encryption” and there’s no guarantee the task force it envisions would focus on the protection. The bill, introduced earlier this month, appeared to be gaining steam on Capitol Hill before the urgent need to respond to the coronavirus pandemic effectively forced all other congressional work into the background.
Experts charged, however, that the bill was designed so that weakening encryption would be the inevitable result.
"This bill… is clearly a ‘backdoor to a backdoor’ to encryption,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University’s Center for Internet and Society.
Whitney Merrill, a former Federal Trade Commission attorney, called it “encryption backdoor legislation in disguise” and warned that “while there's no mention of ‘encryption’ in the bill, there is no possible way to do what the bill requires without undermining end-to-end encryption,” a technical term for encrypted communications that can’t be viewed even by the company providing the messaging service.
“The bill is targeted at child exploitation only as a means of achieving the broader goal of government surveillance generally,” said Paul Rosenzweig, a top Department of Homeland Security official during the George W. Bush administration who now runs Red Branch Consulting.
Other experts lashed out at the idea of the U.S. attorney general leading the proposed task force. Attorney General William Barr has been among the most outspoken critics of encryption when it impedes law enforcement investigations, they noted.
“Making it easier to combat child exploitation is the right idea," said Scott Montgomery, vice president and chief technical strategist at McAfee. "However, giving Attorney General Barr (or any single AG) oversight of a committee weighing a nebulous ‘best practices' list …is a singularly terrible idea.”
The fact the bill puts Barr at the head of the task force “says all you need to know” about how encryption will fare if it’s passed, said Mark Weatherford, a former DHS cybersecurity official.
“While you can’t argue that the issue of online child sexual exploitation should be addressed through legislation, it’s politically underhanded to use this sensitive public safety issue as subterfuge to advance an issue they’ve been otherwise unsuccessful in achieving,” said Weatherford, who’s now a global information security strategist at Booking Holdings.
Some experts also warned the bill could result in much broader access to encrypted communications for law enforcement even when child pornography is not the main concern.
“It pushes toward an Internet where the law require[s] every message sent to be read by government-approved scanning software,” said Cindy Cohn, executive director of the Electronic Frontier Foundation, a digital rights advocacy group.
Joe Hall, senior vice president for a strong Internet at the Internet Society, a global nonprofit group, called the bill “a bipartisan buzz-saw steamroller through digital rights and free speech.”
And if the government gains special access to encrypted communications with a warrant, there’s no guarantee hackers won’t steal that access and use it to swipe users' personal information, warned Jake Williams, a former National Security Agency hacker and founder of the cybersecurity company Rendition Infosec.
“The government has shown time and time again that they can't protect classified information from access (and even release) by unauthorized parties,” he said, pointing to two prominent leaks of secret hacking tools from the NSA and CIA that proved devastating for the agencies.
“To think the government can (or will) do any better with encryption backdoors given this context is laughable,” he said.
“Experts agree that backdoors could be exploited by bad actors and that no backdoor could guarantee only law-abiding officials have access,” said Jennifer Granick, surveillance and cybersecurity counsel with the American Civil Liberties Union’s Speech, Privacy, and Technology Project.
And even if the bill does result in weaker encryption in products from U.S. companies, criminals could still use products with stronger encryption produced in the European Union or elsewhere, some experts warned.
“Put simply, the EARN IT bill would mandate faulty encryption for Americans, while strong encryption would still be easily available to anyone intelligent enough to download their application from, for example, an E.U. server,” said Sascha Meinrath, a Penn State professor and founding director of X-Lab, a think tank focusing on the intersection of technologies and public policy.
That would also make it more difficult for U.S. tech companies to compete overseas, warned Katie Moussouris, founder and CEO of Luta Security.
“American tech with such mandated encryption backdoors will end up on other countries’ banned software lists, regarded much like Huawei is in the U.S.,” she said, referring to the Chinese telecom firm that officials have accused of aiding Chinese spying and banned from many U.S. networks.
A 15 percent minority of Network experts said the EARN IT bill was a good idea.
Former NSA general counsel Stewart Baker argued that limiting encryption might be necessary to prevent the spread of child pornography and other criminal activity.
“If encryption is implemented in a way that recklessly and predictably fosters child abuse, why would we give the designer an immunity for the harm it has caused?” he asked. “Would we give an immunity to an electric scooter company whose product design recklessly burned down a few houses just because we thought the scooters were cool and had a positive environmental impact?”
Two experts — John Pescatore, director of emerging security trends at the SANS Institute cybersecurity training organization and Kiersten Todt, president and managing partner of Liberty Group Ventures — argued the bill was necessary so government could force tech companies to take more responsibility for criminal activity on their platforms. But they both said it should not be used to undermine encryption.
“Leaving [Internet service providers] and websites completely free of any responsibility for user content has resulted in vast swarms of malware, ransomware, phishing sites, deep fakes, etc.,” Pescatore said. “The situation today is as if on the Internet [it is] fine to shout ‘Fire!!!’ in a crowded theater, while we know that is NOT OK in the real world!”
Todt argued that tech firms can take numerous reasonable steps to combat the spread of child pornography without weakening encryption. WhatsApp, for example, says it removes about 250,000 accounts each month that it suspects are sharing explicit photos of children based on technical data — even though it can't see the photos themselves.
“The definition of reasonable will be critical to the effectiveness and success of this bill — and this bill should not be an excuse for killing end-to-end encryption,” she said.
Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley, argued that encryption protections need to be addressed in the context of much broader concerns about technology and safety.
“Encryption is a critical issue, but allowing it to overshadow everything else is not good politics because it will make the technology community seem dangerously out of touch,” he said.
— More responses to The Cybersecurity 202 Network survey question on whether the EARN IT Act is a good idea:
- NO: “There are better ways to combat child exploitation. The committee should focus on legislative reforms that hold companies accountable for not identifying and blocking child traffickers from their platforms based on currently available signals. That can be done without weakening privacy and security measures.” — Chris Finan, CEO and co-founder of Manifold Technology and a former top White House cybersecurity official during the Obama administration
- NO: “High-tech security measures shouldn't be designed by political appointees … We need to solve child exploitation online, and while I'm sure this bill has the right intent, it's the wrong approach.” — David Brumley, CEO of the cybersecurity company ForAllSecure and a professor at Carnegie Mellon University
- NO: “Any legislated structure that carries the abilities to strip American citizens of their right to privacy is a mistake and a step towards the end of democracy.” — Tony Cole, chief technology officer at Attivo Networks
- NO: “Preventing child exploitation is important, but attacking encryption is not the way to do that.” — Harri Hursti, an election security expert and founding partner of Nordic Innovation Labs
- NO: “Protecting children from exploitation has long been a top priority for [the Internet Association] and its members, but federal policy regarding something as critical as encryption should be debated in the open with all relevant stakeholders.” — Jon Berroya, senior vice president and general counsel at the Internet Association trade group, which includes Google, Facebook and Microsoft among its members
- NO: “I share concerns about the impact of harmful online content on the nation’s most vulnerable people, including our children. The EARN IT Act will not help to deter or prevent any of this criminal activity.” — Christian Dawson, executive director of i2Coalition, an industry group that includes Google, Amazon and Cloudflare among its members
PINGED, PATCHED, PWNED
PINGED: Saudi Arabia appears to be tracking its citizens inside the United States by exploiting vulnerabilities in a decades-old global messaging system that allows cellular customers to move from network to network while traveling, Stephanie Kirchgaessner at the Guardian reports. Privacy advocates say the apparent surveillance campaign highlights an urgent need for U.S. regulators to step in and fix vulnerabilities with the system that made the spying possible.
Saudi telecommunications companies requested location data on Saudi citizens in the United States millions of times over a four-month period starting in November, according to documents a whistleblower shared with the Guardian. The large volume of requests indicates a coordinated surveillance effort, multiple security experts told Stephanie. The Saudi government has a history of hacking its own citizens, particularly dissidents and journalists.
The system the Saudi companies used, known as SS7, is meant to allow foreign providers to track roaming charges, but can be easily misused. DHS has received reports that malicious actors are exploiting the system, the agency told the office of Sen. Ron Wyden (D-Ore.) in a 2018 letter.
T-Mobile and Verizon did not comment on requests from the Guardian asking whether they allowed SS7 requests from foreign providers that could be used for tracking locations. AT&T said it has “security controls to block location-tracking messages from roaming partners."
PATCHED: Federal, state and local officials are partnering with tech and marketing companies in the hopes they can harness cellphone location data to track the spread of the coronavirus in the United States, the Wall Street Journal's Byron Tau reports. Privacy experts, however, say the efforts could pose serious risks without the right safeguards.
Under a White House proposal, the officials are working with advertisers to pull widely available anonymized geolocation data into a national portal. It's a contrast with Europe and Asia, where government officials have urged telecommunications companies to share data with them directly.
The Centers for Disease Control and Prevention and the White House have partnered with a number of tech companies on the project, while some state and local governments have turned to data marketing companies such as Foursquare Labs.
Data marketing is largely unregulated on the federal level and even anonymized data could be tied to individuals, privacy experts caution. Privacy activist Wolfie Christl called for “strong legal safeguards” to minimize risk.
PWNED: House lawmakers failed to renew controversial FBI surveillance tools before leaving town on Friday, leaving the program paused for at least several more weeks, the Wall Street Journal's Dustin Volz reports. Efforts to renew the post-9/11 authorities got mired down as some lawmakers urged broader privacy protections and the bill effectively took a back seat as Congress pivoted to dealing with the coronavirus pandemic.
The Senate passed a short-term extension of the powers before the program expired.
Now, the Justice Department is urging the House to pass the same extension “as soon as possible to avoid any further gap in our national security capabilities,” Justice Department spokeswoman Kerri Kupec told Dustin.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: