Encryption

The Senate Judiciary Committee is conducting hearings on a bill that would strong arm companies that use encryption into altering their technologies to make them “subpoena compatible.”

Under the proposed legislation – Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) – Internet technology companies would be forced to hand over user information upon subpoena and not hide behind the excuse that the requested data is encrypted, therefore, inaccessible, or that backdoors cannot be created because they would destroy consumer confidence and impact sales.

The Power of Obfuscation

Here’s the insidious part: The bill’s bipartisan sponsors were very careful to avoid using the word “encryption” anywhere in the proposed legislation. This is a clever ploy to give them the deniability they need to gather bipartisan support in Congress and to lull the rest of America into complacency:

“This bill says nothing about encryption,” co-sponsor Sen. Richard Blumenthal (D-CT) said to a witness during a March 12 hearing. “Have you found a word in this bill about encryption?”

Although the EARN IT bill does not contain the word encryption, it does contain this obfuscated phrasing in Section 4, which is deliberately crafted to be interpreted in virtually endless ways:

(III) whether a type of product, business model, product design, or other factors related to the provision of an interactive computer service could make a product or service susceptible to the use and facilitation of online child sexual exploitation

Without explicitly saying so, encryption is one of the ways to make a product or service susceptible to the use and facilitation of online child sexual exploitation. This allows Sen. Blumenthal to deflect criticism by claiming with a straight face that the EARN IT bill “says nothing about encryption”.

The Strong Arm Tactic

Section 230 of the Communications Decency Act protects online platforms in the United States from legal liability for the behavior of their users. Without this protection, many Internet services enjoyed today may have never been created in the first place – including social networks like Facebook and Twitter as well as secure messaging services like WhatsApp and Signal.

The EARN IT bill proposes the creation of a 19-member commission to formulate best practices these and other tech companies would have to implement in order to “earn” continued Section 230 immunity.

What the bill proposes is a system whereby companies would have to demonstrate compliance with the commission’s set of “best practices” that are unlikely to allow strong end-to-end encryption, perhaps weakening it with mandatory backdoors that would give law enforcement easy access to user data. Of course, backdoors would also attract state sponsored criminal organizations and hackers of every kind, but the Senate Judiciary Committee does not consider this a valid concern.

Such a demand, according to the Electronic Frontier Foundation (EFF), would put companies in an awful position: “either face the possibility of losing everything in a single lawsuit or knowingly undermine their users’ security, making all of us more vulnerable to online criminals.” [See “Encryption Backdoors Will Make Us All More Vulnerable“]

Nevertheless, any company that doesn’t comply with the commission’s recommendations will lose their Section 230 protection – in essence, exposing them to an endless barrage of lawsuits if they were to suddenly become responsible for the random musings of their users.

While some tech giants might be able to deal with the financial and public relations fallout stemming from a continuous stream of new lawsuits, it would not be possible for small non-profits like Signal – provider of one of the world’s most secure messaging services – to continue operating in the United States. The ramifications are clear: many tech companies would have to relocate, and new startups might choose to begin elsewhere.

According to Joshua Lund, spokesman for Signal, the argument that EARN IT has nothing to do with encryption is disingenuous both because of the way that the bill is structured and the people involved.

The Rogues Gallery

Democrats and Republicans revealed their intentions about encryption during a Senate Judiciary Committee hearing held on December 10, 2019.

Chairman Lindsay Graham (R-SC) warned tech company executives, “My advice to you is to get on with it, because this time next year, if we haven’t found a way that you can live with, we will impose our will on you.”

Sen. Joni Ernst (R-IA) warned the tech-industry witnesses that if an encryption solution “doesn’t happen by you, it will happen by Congress.”

In a veiled threat, Sen. Sheldon Whitehouse (D-RI asked if Silicon Valley was prepared to accept liability for deaths that resulted from investigators’ inability to access encrypted data. “You have to be willing to own up, and take responsibility for the harm,” he admonished.

Sen. Marsha Blackburn (R-TN) warned that companies like Apple and Facebook should change their approach and share more data with investigators. “If you all can’t do that, we will do that.”

Sen. Dianne Feinstein (D-CA) wrote legislation in 2016 that would have effectively banned strong encryption as it exists today. She is also a supporter of EARN IT.

The EARN IT bill would also grant Attorney General William Barr, a vociferous critic of end-to-end encryption, with the power to interpret and enforce any “best practices” emanating from the commission that the bill would create. If passed, this legislation would effectively give Barr the legal tools he has long requested, including the revocation of Section 230 protection against noncompliant companies.

There Are Consequences

Defenders of the bill say it deals specifically with matters related to child exploitation. The stated intent of Senate Bill 3398 is “to establish a National Commission on Online Child Sexual Exploitation Prevention, and for other purposes.” What reasonable person would oppose this?

As Signal’s Joshua Lund observed recently:

“Bad people will always be motivated to go the extra mile to do bad things. If easy-to-use software like Signal somehow became inaccessible, the security of millions of Americans (including elected officials and members of the armed forces) would be negatively affected. Meanwhile, criminals would just continue to use widely available (but less convenient) software to jump through hoops and keep having encrypted conversations.”

If the government finds that this scheme works well against child exploitation, why wouldn’t it continually be expanded into new areas; after all, there would already be precedent for it, the machinery for doing so already in place, and the rest of America already lulled into complacency.

Don’t expect the courts to come to the rescue to protect the Fourth Amendment right against unreasonable searches and seizures. When issues of fundamental rights reach the courts, the government is presented with an opportunity to put qualifications on those rights. If the argument is “reasonable” the courts tend to go along, or invent new qualifications of their own despite the clear “shall not” language imposed on them by the Constitution’s Bill of Rights.

At the Supreme Court level, a byproduct of carefully framed rulings is that they instill a sense of inevitability among Americans, dissuading them from engaging in futile opposition and noncompliance. After all, the matter would be seen as “settled law,” which reinforces general acquiescence.

Of the 22 members of the Senate Judiciary Committee, the only dissenting voice during the EARN IT hearing of December 2019 was Mike Lee (R-UT), who rightly observed, “If we open these things up [cryptographic protections], there are consequences.”

---------------

Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.

Everything You Need. More Than You Expect.
703-407-4363  |  info@xpheria.us