The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Get ready for encryption fireworks in Congress today

with Tonya Riley

Encryption advocates and tech firms are sounding alarms about a bill seeking to combat child pornography set to be debated by the Senate Judiciary Committee this morning. 

Sponsors of the bipartisan EARN IT Act say their bill will force tech companies to get tough about combating child pornography by stripping them of liability protections when users share the material on their platforms. But critics fear provisions in the bill could force those companies to abandon strong encryption protections that keep all their users secure against hacking. 

The bill’s sponsors, Senate Judiciary Chairman Lindsey Graham (R-S.C.) and Sen. Richard Blumenthal (D-Conn.), also threw a curveball yesterday when they released an updated version. The new version reduces the chances for a nationwide requirement forcing companies to create encryption backdoors for law enforcement. But it raises the chances laws with those requirements could be passed at the state level – which opponents say is just as bad.

This new bill doesn’t fix the encryption concerns, it just shifts them to a different place,” Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, told me. 

The Internet Association, which includes Google, Microsoft and Amazon among its members, charged that the new version “replaces one set of problems with another by opening the door to an unpredictable and inconsistent set of standards under state laws.” (Amazon CEO Jeff Bezos owns the Washington Post.) 

Judiciary Committee members could vote to forward the old version of the bill, the new version or none to be considered by the full Senate. 

The bill has become a lightning rod in a government push against encryption.

Attorney General Bill Barr has revved up his campaign to convince lawmakers that strong encryption helps criminals and terrorists evade law enforcement. The new bill also comes amid a backlash over privacy issues that’s made many lawmakers far less sympathetic to tech companies and the cybersecurity advocates who are taking their side in this case. 

“Saying we need to [change] technology so it can’t be used for evil is a fool’s errand,” said Sascha Meinrath, a Penn State professor and founding director of the X-Lab think tank focused on the intersection of technologies and public policy. “But convincing people that there are risks we have to accept as a society because of the beneficial uses of technology is very difficult.” 

There's stark division in Congress over encryption. 

Sen. Patrick Leahy (D-Vt.) plans to push for an amendment during today’s committee debate that would effectively bar state or federal officials from undermining encryption when they implement the bill.  

Sen. Ron Wyden (D-Ore), a longtime encryption advocate, charged the updated bill “will do even less than the previous version to stop the spread of child sexual abuse materials” and “create massive uncertainty, both for strong encryption and free speech online.” Wyden and several other senators are sponsoring a separate bill that would invest $5 billion in combating online child sexual exploitation but not weaken encryption. 

Graham, meanwhile, is also sponsoring a separate bill called the Lawful Access to Encrypted Data Act that would completely block companies from using encryption if it prevents law enforcement with a warrant from accessing users’ data and communications. 

The updated version of EARN IT would effectively shift the encryption fight from the federal to the state level.  

The first version created a commission tasked with writing rules for how companies could best protect against users sharing child pornography. It would have retained liability protections for companies that followed those rules but imposed severe civil and criminal liability on companies that didn’t. The standard for culpability was relatively low: Companies could be punished for being “reckless” about not stopping the sharing. And the courts could consider the use of strong encryption that blocked companies from seeing that their users were sharing illegal content to fit this criteria. 

The new version simply removes the liability protections in all instances where users share child pornography. But it only includes federal penalties if the companies know specific users are sharing the material and don’t do anything about it. At the state level, however, it opens the door for far more stringent standards, which could include criminalizing companies using encryption. 

The potential loss of liability protections for content posted on tech platforms would be a significant deterrent to keeping or adopting strong encryption that keeps all users safe from data theft and cyberattacks. And the challenges could be even tougher if companies are forced to comply with a patchwork of different liability standards across 50 states. 

Free speech advocates fear the bill will push tech companies to clamp down on content far beyond child pornography. 

They point to a 2018 law, nicknamed FOSTA, that rolled back tech companies’ liability protections for content related to sex trafficking. The law successfully shut down major sex trafficking sites. But critics say it also made tech companies so fearful of legal consequences they removed large amounts of content that wasn’t actual sex trafficking – including content aimed at helping keep sex workers safe from exploitation and harassment.   

EARN IT critics fear the new version of the bill could lead companies to similarly remove unrelated content, such as sex education materials or message boards aimed at helping LGBTQ youth. 

“Separate and apart from undermining encryption, this raises broad speech concerns in a way that’s unacceptable,” ACLU Senior Legislative Counsel Kate Ruane told me. 

Programming note: The Cybersecurity 202 newsletter is off tomorrow. Enjoy your Fourth of July weekend. 

The keys

China began spying on its Uighur minority using hacked phones as far back as 2013.

The mobile hacking campaign was also far more extensive than previously known, Paul Mozur and Nicole Perlroth at the New York Times report

The Chinese hacking tools appear to have been used against Uighurs in 15 counties, including Pakistan and Turkey, researchers at the cybersecurity firm Lookout report. Some of the hacking efforts, including the use of malware on iPhones used by Uighurs, were pieced together by researchers last fall.

“Wherever China’s Uighurs are going, however far they go, whether it was Turkey, Indonesia or Syria, the malware followed them there,” Apurva Kumar, a threat intelligence engineer at Lookout told the Times. “It was like watching a predator stalk its prey throughout the world.”

The malware targeted popular apps including an app that allowed the user to type using a Uighur keyboard. In other cases, the government hackers tricked the victims into installing phony and malicious versions of real apps like Facebook, Twitter and fake pages for popular news sites.

Democratic senators worry sensitive data gathered for a federal coronavirus program could be shared with ICE.

They called for more transparency about the agency's HHS Protect coronavirus tracking project in a letter to Health and Human Services Secretary Alex Azar, Reed Albergotti reports. The program uses software from Palantir, a big data analytics firm that is best known for working with Immigration and Customs Enforcement and U.S. intelligence agencies.

“We are concerned that, without any safeguards, data in HHS Protect could be used by other federal agencies in unexpected, unregulated, and potentially harmful ways, such as in the law and immigration enforcement context,” the group including Sens. Elizabeth Warren (D-Mass.) and Richard Blumenthal (D-Conn.) wrote.

Members of the congressional Hispanic Caucus brought up similar concerns with the project last week. Both letters cited a 2018 case in which HHS gave ICE access to its Office of Refugee Resettlement records, leading to mass arrests and detentions.

HHS spokeswoman Katherine McKeogh said in a statement that HHS does not share any HHS Protect data with ICE and the system doesn't contain any personal information about coronavirus victims. McKeogh did not address the letter's concerns over reports that HHS said it plans to collect more sensitive information in the future.

China is punching back after the FCC restricted many U.S. telecoms from using Huawei technology. 

Foreign ministry spokesman Zhao Lijian accused Washington of abusing state power and oppressing Chinese companies based on unfounded national security claims, the Associated Press reports.

The order, which the Federal Communications Commission said was based on national security concerns, locks U.S. companies that use Huawei equipment out of over $8 billion in federal funding. 

A Huawei spokesman pointed to an earlier statement accusing the Federal Communications Commission  of singling the company out without providing any hard evidence it's a national security threat.

The FCC simply assumes, based on a mistaken view of Chinese law, that Huawei might come under Chinese government control, the company said. Huawei would never breach its customers’ trust.” 

Huawei has consistently denied U.S. officials’ allegations that it could be a tool for Chinese state espionage.

Industry report

Video conferencing giant Zoom still hasn't released a promised report about government demands it's received for user data. 

The company previously said it would release the report by June 30  after an avalanche of privacy and security concerns, Zack Whittaker at TechCrunch reports. Transparency reports have become a standard practice for U.S. tech companies.

Last month the company briefly suspended Zoom accounts of two U.S.-based people and one Hong Kong activists at the request of the Chinese government. Zoom reversed the decision and said it would no longer allow requests from the Chinese government about users outside of China.

More industry news:

Facebook is launching a voter registration drive for the Fourth of July weekend.

People of voting age will see a notification at the top of their Facebook app with information about how to register to vote and a link to their state's registration website. The effort is a part of a Facebook push to register 4 million voters ahead of the 2020 election. 

Facebook reinstates NSO Group employee accounts amid ongoing lawsuit (CyberScoop)

Chat room

The more you know! From cybersecurity researcher Brian Krebs:


  • The Senate Judiciary Committee will consider the EARN IT Act today at 10 a.m.
  • The House Energy and Commerce Committee will host a hearing on consumer risks during the covid-19 pandemic on July 9 at 12 p.m.

Secure log off

In memoriam:

Legendary writer, performer, and director Carl Reiner’s award-winning career spanned seven decades. Reiner passed away at the age of 98 on June 29. (Video: The Washington Post)