EARN IT: The Anti-Encryption Bill That Doesn’t Mention Encryption Nor Backdoors.

The US is planning on introducing a new bill that has a lot of privacy experts worried. Many have called it an “encryption backdoor” bill or an “anti-encryption” bill. On the face of it, though, it’s supposed to be a “fight child porn” bill – the word “encryption” is not mentioned even once.

So why are so many encryption and privacy experts saying it is a workaround over encryption?

A Long-ish History

The current Attorney General under the Trump Administration, William Barr, has made it very clear that he doesn’t like encryption. He abhors the fact that the technology prevents law enforcement from making use of search warrants, which is understandable: arguably, that a warrant was issued means that there’s reason to believe a crime is being committed or that evidence of such can be found. Search warrants are one of the ways of balancing privacy with the need for prosecuting crimes.

As such, not being able to act on a warrant means one of the main tools for combating crime has been nullified. Of course, a warrant does not guarantee results (the police can always come up empty handed either due to bad luck or because their initial assessment was wrong), and some privacy experts have used this failure as an example of why warrants shouldn’t guarantee access to encrypted materials. However, most would admit that the inability to even begin searching for evidence is a different matter. It’s the difference between searching a house and not finding anything vs. not being able to get into the house at all.

The use of encryption is similar to the latter, and the problem it poses (labeled as “going dark,” by the government’s PR team, probably) has been a persistent thorn in the side for US law enforcement for many years now.

In 2016, the FBI and Apple went to court over the issue. The FBI wanted the courts to force Apple to help retrieve data from an encrypted iPhone that belonged to a terrorist. Apple was adamant that it couldn’t (not that it wouldn’t). Furthermore, it wouldn’t make changes to its underlying software to hamstring encryption.

Surprisingly, public opinion was firmly on Apple’s side. Many who were following the case thought the FBI had purposefully waited to bring suit against a tech company so they could play up the terrorist aspect: Mobilize public sentiment and outrage, and use it as a lever against companies who were unwilling to compromise their encryption technology.

Trying to Win Through Marketing

That legal skirmish did not end well for the FBI. The issue was never settled – the FBI found a third party to decrypt the phone; interestingly, public and expert opinion had increasingly swayed to Apple’s side right before this solution appeared out of nowhere – and Americans became ever more educated on the issues of encryption and privacy. Senators and House representatives who had jumped into the circus act, first accusing Apple of protecting criminals, started singing a different tune. For example, from this techdirt.com article:

On February 18th, Senator Lindsey Graham had this to say about the FBI v. Apple court battle.

Our nation is at war and this iPhone was used to kill Americans. We need to protect our homeland, not terrorists. To Tim Cook and Apple, cooperate with the FBI.

As surprised as we were to learn it was an iPhone that killed 14 people in San Bernardino, rather than the attackers and the weapons they wielded, Graham had yet another surprise in store for us.

Sen. Lindsey Graham (R-S.C.), who last December called on Silicon Valley to stop selling encrypted devices, expressed serious concern on Wednesday about the precedent the Department of Justice would set if it successfully compels Apple to break iPhone security features.

“I was all with you until I actually started getting briefed by the people in the Intel Community,” Graham told Attorney General Loretta Lynch during an oversight hearing in the Senate Judiciary Committee. “I will say that I’m a person that’s been moved by the arguments about the precedent we set and the damage we might be doing to our own national security.”

Cynics among us believed at the time that the Senator didn’t quite have a change of heart as much as he saw which way the wind was blowing.

Now, the same Senator and a handful of others have introduced a bill that is meant to combat online child exploitation. But, as the experts have noted, the way the bill is structured, it can only lead to companies hamstringing their encryption… or being bankrupted by government lawsuits for not doing so.

It almost appears as if this is the thought-process: since lowlife terrorists weren’t able to convince the public that strong encryption is a bad thing, perhaps outrage towards another lowlife group could perhaps do the trick. Also, don’t mention encryption because otherwise the game’s up!:

“This bill says nothing about encryption,” co-sponsor Sen. Blumenthal said at today’s hearing. “Have you found a word in this bill about encryption?” he asked one witness.

No offense, but isn’t this the kind of defense the Mafia set up for themselves? The communications and orders are indirect, contrived, and hidden so that nobody really knows what’s going on unless they’re in on it?

Why Would Encryption Have to be Compromised?

In order to fight online child exploitation, the bill requires online tech platforms like Facebook or WhatsApp to scan for media and messages that involve such crimes (e.g., child porn). Human eyes must be involved somehow, obviously, but so is artificial intelligence and machine learning. Most Americans don’t know it, but there is a database of such images and videos because a lot of the old stuff gets copied and shared ad nauseam. AI can make very good and fast use of this database to compare any photos or videos being passed around and flag them, stop them from reaching their destination, etc.

So, all of this is a very doable thing. But, to scan for such media requires that you scan all media*. But, you can’t scan all of it if the message is encrypted. So, what would a tech platform have to do to comply? It would have to kiss encryption goodbye. Or, it’d have to create a backdoor to it. Otherwise, the company is brought to heel for not following this particular law (if passed, that is).

* (Obviously, this opens up a can of constitutional worms. The NSA’s PRISM surveillance program was essentially this, and public blowback to it was the reason why tech companies started to encrypt stuff left and right. Let’s not forget indiscriminately searching all communications is probably illegal under the First and Fourth Amendments).

As Senator Blumenthal remarked, there’s no mention of encryption in the bill. But, this is a matter of connecting the dots. Just because there aren’t any lines actually depicting a triangle below doesn’t mean that the point of the image is the technically non-existing triangles (yes, plural.  There “are” two of them):

By Fibonacci – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1788215

It’s obvious if you’re paying attention. And security and privacy experts are paying attention.

Still the Same Level of Danger… or Even More Danger

Here’s the thing, though: this will do very little to prevent and eliminate child exploitation.

Why?

Because lowlifes can always encrypt their messages and media before sending them. Instead of offloading the security aspect to a tech platform, they can take care of encrypting stuff themselves. Thus, law enforcement is back at square one: impenetrable encryption impeding access (if you’re not aware, plenty of companies in countries other than the USA create encryption software).

Except that they’re not really back at square one, are they, because, hey, tech platforms’ encryption doesn’t pose as much of an obstacle as before!

The sad thing is, criminals of all kinds will know they’re not protected anymore. The stupid, ignorant ones will mess up by not taking precautions before sending or posting messages – and this has always been true, even today – but the rest will not because their lives literally depend on it. It’s the reason they use encryption and encrypted services to begin with.

In the meantime, all the law-abiding citizens who have nothing to hide and were enjoying the strongest online protections possible are left shortchanged.

Is it any wonder, then, that the privacy and security experts picked up on this and are calling foul?

Related Articles and Sites:
https://blog.cryptographyengineering.com/2020/03/06/earn-it-is-an-attack-on-encryption/
http://cyberlaw.stanford.edu/blog/2020/03/earn-it-act-here-surprise-it%E2%80%99s-still-bad-news
https://www.lawfareblog.com/earn-it-act-raises-good-questions-about-end-end-encryption
https://reason.com/2020/03/18/the-earn-it-act-is-the-new-fosta/
https://nakedsecurity.sophos.com/2020/03/13/earn-it-act-threatens-end-to-end-encryption/
https://www.theverge.com/interface/2020/3/12/21174815/earn-it-act-encryption-killer-lindsay-graham-match-group
https://www.schneier.com/blog/archives/2020/03/the_earn-it_act.html
https://www.eff.org/deeplinks/2020/03/earn-it-bill-governments-not-so-secret-plan-scan-every-message-online



Comments (0)


Let us know what you think