End-to-end encryption could be a casualty in the fight against child pornography

A measure against the spread of child pornography is sailing through Congress – but cybersecurity and privacy advocates are warning of an unfortunate possible side effect.

Story continues below advertisement

The EARN IT Act, which passed the Senate Judiciary Committee with unanimous support yesterday, could make companies less likely to offer end-to-end encryption even as the measure cracks down on the spread of material that's deeply damaging to children.

Advertisement

Several senators expressed reservations about how the bill might chip away at encryption, opening the door for a drawn-out pressure campaign to make the bill as cyber and privacy friendly as possible before it reaches its final form.

“We must do something,” Sen. Cory Booker (D-N.J.) said. “I’m just looking forward to doing the work between now and the floor to see if we can mediate against some of the legitimate concerns that I hear from the privacy community.”

Story continues below advertisement

The bill marks one of the rare instances in which Big Tech firms, privacy and human rights groups and domestic violence survivors have all lined up to oppose the same issue. But they’ll have an uphill battle, contending against bipartisan congressional frustration with Big Tech platforms and a genuine desire to curtail the spread of child pornography. Here's more from Cat Zakrzewski.

The details

The Earn IT Act would remove federal protections that currently prevent tech companies from being held legally liable for what users share on their platforms if they knowingly allow those users to share child pornography.

Cyber and privacy advocates fear those liability concerns will lead tech firms to stop offering the strongest form of encryption, called end-to-end, which blocks everyone except the sender and recipient from viewing a message — including the tech company itself and police with a warrant.

End-to-end encryption has been invaluable for guarding people against hacking and government surveillance, but it’s also made it easier for criminal activity to go undetected online, including sharing material that exploits children.

The EARN IT Act includes language aimed at protecting end-to-end encryption, but advocates say there are too many loopholes in the current version.

Advertisement

“Journalists, human rights activists, survivors of domestic violence all rely on end-to-end encrypted services. By disincentivizing offering those services, all those groups will live in a world that’s less secure,” Samir Jain, policy director at the Center for Democracy and Technology (CDT), told me.

Story continues below advertisement

Sen. Mike Lee (R-Utah) has suggested an amendment that would expand encryption protections.

Put simply: The current bill says encryption can’t be the only reason a company is judged guilty of knowingly allowing child pornography on its platforms. Lee’s amendment would say it can’t be a reason at all.

That fix wouldn’t completely allay encryption advocates’ concerns, but it would help, Jain told me.

Critics also want to remove language that would make it easier for state officials to find companies liable under the law using a lower standard than the federal one and that would allow offering encryption to be used as evidence in legal proceeding against tech companies.

Advertisement

Story continues below advertisement

Facing off: The CDT led a group of about 60 human rights, civil liberties, privacy and tech policy groups in a letter to lawmakers opposing the bill. The bill’s sponsors effectively countered with a letter supporting the bill from 250-some groups opposing sex trafficking and child exploitation.

Making the bill more encryption friendly could be a tall order.

Sen. Richard Blumenthal (D-Conn.), a co-sponsor, knocked back encryption concerns early in the debate, calling them a “gigantic red herring” propagated by “Big Tech and their armies of lobbyists and their allies.”

That drew pushback from EARN IT Act opponents.

Here’s Evan Greer, director of the Fight for the Future advocacy group:

Senator Blumenthal dismisses opposition to the #EarnItAct as all coming from "Big Tech lobbyists."



That's just outright false.



Dozens of leading human rights, LGBTQ+, racial justice, and civil liberties organizations oppose the EARN IT Act, including @ACLU @HRC @glaad @amnesty — Evan Greer (@evan_greer) February 10, 2022

Other senators tried to balance the two issues.

Story continues below advertisement

“I have two folders, one full of letters from law enforcement and child advocacy organizations urging that we take this up and pass it. The other from … human rights organizations, civil rights organizations … urging me to oppose it,” said Sen. Chris Coons (D-Del.).

Advertisement

Coons said he wants to keep revising the bill to reduce the harm to encryption. But Congress doesn’t have a great track record with complex technology issues and competing priorities, he warned.

“We legislate rarely in complex issues around technology and privacy here. And in some cases, we do not legislate particularly well,” he said.

Sens. Jon Ossoff (D-Ga.) and Alex Padilla (D-Calif.) also said they want to push for encryption changes in the bill.

The keys

NSO clients reportedly have ability to cover their digital tracks, complicating investigations

NSO Group’s Pegasus spyware can be set to not create data logs of the spyware’s activity, making it difficult to verify some hacks after the fact, the Times of Israel reports. The report cites an interview by the Hebrew-language publication Calcalist with a person “with very close knowledge” of how Pegasus was built.

Advertisement

Story continues below advertisement

“The source told the newspaper that deniability is built into the architecture of the spyware,” the outlet writes. Such a feature was requested by government clients who had concerns about exposing sources or targets if they received court orders or if the leadership of their countries changed, according to the report.

NSO refuted the claims to Calcalist and threatened to sue the outlet, according to the Times of Israel. The company argues that Calcalist’s claims were “sensationalist” and that its systems “include full documentation of the actions performed in them.” The company also said records are preserved for legal purposes.

Privacy and civil rights advocates are concerned about the data ID.me is collecting

The identity verification firm, which has come under scrutiny following a scuttled IRS contract, says it collects a vast amount of data in state contracts, including location information from people’s phone companies “in the event of an investigation into a user,” Drew Harwell reports.

Advertisement

Story continues below advertisement

“The company says that information is critical to flushing out identity theft,” Drew writes. “Its privacy policy says it can use people’s sensitive and personally identifiable information to ‘cooperate with law enforcement activities.’ ”

The contract information raised alarms for civil liberties groups. The level of data collected by the company suggests it could be “morphing from a privatized identity-verification investigator into a privatized FBI,” American Civil Liberties Union senior policy analyst Jay Stanley said.

ID.me chief executive Blake Hall said the company is “deeply committed to access, equity, security and privacy."

The IRS this week announced that it wouldn’t be using ID.me’s face-scanning to verify identities of people trying to access their tax information online. The move came after dozens of lawmakers objected to the facial recognition contract.

More wild details are emerging about the couple charged with trying to launder billions in cryptocurrency

Prosecutors accused Heather Morgan and Ilya “Dutch” Lichtenstein of trying to use their Bengal cat, Clarissa, to distract federal agents as Morgan tried to lock her cellphone, Rolling Stone’s Brenna Ehrlich reports. “Law enforcement had to wrest the phone from her hands,” prosecutors wrote in a filing.

Advertisement

Story continues below advertisement

“The comments of Morgan’s TikTok are currently flooded with folks worried about the well-being of the cat, whose breed (a hybrid of a domesticated cat and an Asian leopard cat) usually sells for thousands of dollars,” Ehrlich writes. Bengal cats appear to be illegal in New York City, where Morgan and Lichtenstein lived.

It’s yet another oddball detail about a couple that’s become a point of fascination for cyber watchers. “Morgan, 31, is a fan of making art out of prosthetic eyeballs, has written for Forbes, and decided to take up rapping due to an unnamed ‘professional mishap,’ ” Ehrlich writes. “Lichtenstein, 34, is a Russian-U.S. national who studied psychology at the University of Wisconsin [in Madison], co-founded a [company called] MixRank, and, apparently, enjoys cat food.”

Prosecutors have accused Morgan and Lichtenstein of trying to launder around $4.5 billion in cryptocurrency that was stolen from Bitfinex in 2016. They haven’t been accused of the hack itself.

Chat room

The Federal Trade Commission warned ahead of Valentine’s Day that romance scams are increasing. Such scams typically take advantage of the lovelorn and end up duping them out of money.

Romance scammers draw people in using pictures stolen from around the internet, building false personas that seem just real enough to be true, but always having a reason never to meet in person #DataSpotlight /2 — FTC (@FTC) February 10, 2022

While many people report the #RomanceScam💔 started on a dating site or app, reports of romance scams originating from contact through social media were also common #DataSpotlight /4 — FTC (@FTC) February 10, 2022

Rep. Jim Langevin (D-R.I.):

Just in case you haven't watched @netflix’s documentary on the Tinder Swindler yet, the @FTC wants to go over a few things.



Never send money to people you meet online, and a request for gift cards or wire transfers should be a red flag!



Learn more ➡️ https://t.co/p9dlrOJJLZ — Jim Langevin (@JimLangevin) February 10, 2022

James Paterson, who chairs the Australian Senate’s Intelligence Committee, had this Valentine’s Day warning to offer:

Chair of Intelligence Committee @SenPaterson echoes @ASIOGovAu's warning foreign spies could be recruiting Australians on dating apps:

"If you're a 6 and they're a 10 - it might not be your looks that they've been charmed by, it might be your access to classified information" pic.twitter.com/OHFm2CuH8Y — Andrew Greene (@AndrewBGreene) February 10, 2022

Privacy patch

Apple plans to make AirTags easier to find

The changes aim to prevent people from using the tags to surreptitiously track partners and family members, Chris Velazco reports. AirTags originally were designed to clip onto devices — like your keys — so people can locate them when they're lost. But experts have warned for months that they can also be used for stalking.

Advertisement

The changes won’t go into effect until Apple releases updated software for its devices. The company wouldn’t say when those updates will become available.

Securing the ballot

Someone may have improperly accessed Michigan voting machines, jeopardizing their security

Voting machines in Richfield Township and Roscommon County may need to be replaced after an “unnamed third party” reportedly accessed them, Michigan Secretary of State Jocelyn Benson (D) said.

Colorado Secretary of State Jena Griswold (D) also announced new rules to restrict access to voting machines and ramp up security controls. Griswold’s office announced on Thursday that she concluded an investigation of possible improper access of voting machines, finding there wasn’t any such access.

Global cyberspace

Cyber insecurity

National security watch

Industry report

Daybook

Cybersecurity firm Dragos hosts a webinar with NSA and CISA officials to discuss industrial control system cybersecurity on Monday at 1 p.m.

The R Street Institute holds an event on Black professionals in the cybersecurity workforce Wednesday at 1 p.m.

The Institute for Critical Infrastructure Technology hosts a webinar on critical infrastructure technological recommendations on Wednesday at 5 p.m.

The U.S.-China Economic and Security Review Commission meets to discuss China’s cyber capabilities Thursday at 9 a.m.

Secure log off

A couple put a mic on their 4-year-old while snowboarding, and dressed him up in a dinosaur outfit.



In case you could use a smile today…pic.twitter.com/dr31N1lTJ3 — Rex Chapman🏇🏼 (@RexChapman) February 10, 2022