The battle to defend end-to-end encryption and privacy continues as congress introduces yet another measure for back doors into people’s data.
March 9, 2020
By: Bobby Casey, Managing Director GWP
Online service providers do not want to lose business over the fear of data breaches, so they are constantly optimizing and improving the security of your information.
That’s as it should be.
But the government takes the sensible concerns of private citizens, exploits them, and demands backdoor access to their accounts and information… in the name of safety.
The needs of the consumer were already met by the technology. I don’t hear people clamoring for more government to get into their business. In fact, there are crickets both on the mainstream left and right. The only ones calling for it are the political hacks in congress.
The fight continues.
The Clinton administration back in1993 wanted to use key escrow to give law enforcement backdoor access to consumer devices. Key escrow is “an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.“
Imagine that kind of 3rd party intrusion into your physical home. A spare key with your alarm code is kept in a vault that a cop can use whenever they think it’s “necessary”. If no-knock raids have taught us anything, this is a very bad idea.
Key escrow didn’t take hold in the 90s. Researchers proved it to be too faulty to implement. They tried it again in 2000 under Bush and then again under Obama in 2010.
It was a bad idea every single time.
Here we are in 2020, listening to the same tired arguments from the feds about the dangers of encryption, and the latest bill on tap comes courtesy of Lindsey Graham (SC) and Richard Blumenthal (CT): Eliminating Abusive and Rampant Neglect of Interactive Technologies ( or EARN IT) Act.
An odd acronym considering innocent people hardly deserve this much less earned it.
A critical piece of free speech protection in jeopardy is Section 230:
Section 230 simply states that, in most cases, speakers should be responsible for their own speech, not Internet intermediaries who host that speech.
According to a draft published several weeks ago, EARN IT would strip away Section 230 protections, offering them only to Internet companies who followed a list of “best practices” set up by a government commission of 15 people. This commission, set up in the name of protecting children, will be dominated by law enforcement agencies.
Of course! What legislation would be complete without invoking “the children”. But much like the gun control debate, it’s not the gun that is responsible for murder. The person who wielded it, however is 100% culpable for taking a life.
The car dealership isn’t responsible for drunk driving.
Microsoft, Google, Facebook… the internet… isn’t responsible for what people post. The individual is responsible for their speech and content.
The EFF brings up a really interesting point. Look at the composition of the 15 member commission:
1 will be picked by the Department of Homeland Security
1 will be picked by the Department of Justice
1 will be picked by the Federal Trade Commission
2 commission members “shall have experience in handling internet crimes against children in a law enforcement capacity.”
2 commission members “shall have experience in providing victims services for victims of child exploitation.”
2 commission members “shall have experience in handling internet crimes against children in a prosecutorial capacity.”
2 commission members “shall have experience in computer science of software engineering.”
4 commission members will have experience working for online services of varying sizes—but must have “experience in child safety.”
That’s a lot of law enforcement and law enforcement related appointees. The biases of whom could lean toward favoring the ambitions of people like Attorney General William Barr who seeks backdoor access.
This is becoming a major disincentive for encryption, and that’s a scary prospect for journalists, whistle-blowers, and victims of abuse whose safety relies on such things.
Even Back Page, as we’d mentioned, the anonymity offered even through that service was still much safer and better than the alternative.
Decisions about privacy should not be predicated on the fringe arguments. No matter how nasty the villain, no matter how tragic the victim, and any moderate scenario in between, the right to privacy is sacrosanct and nonnegotiable.
When the government gets access to data outside the very narrow scope of a search warrant, you will start to see more headlines like this:
Google tracked his bike ride past a burglarized home. That made him a suspect.
“I was using an app to see how many miles I rode my bike and now it was putting me at the scene of the crime,” the man said.
The fact that this man popped as a suspect simply for riding his bike by the area is no different from being stopped at a sobriety checkpoint simply for being at that location at that time. Existing somewhere is now probable cause for whatever happens near you? That’s what surveillance and privacy invasion seems to be leading society.
Being the government, chances are there will be some “compromise” that boils down to “freedom for me, but not for thee”. Everything the politicians do is in the name of national security. But everything you and I do is suspicious.
One such possible “compromise” could be what’s called “Client-Side-Scanning“. Just so you know, it’s a re-brand of key escrow. It’s not quite the same, but it has the same general principle of giving 3rd party access to your messages.
The short answer is: you can’t have end-to-end encryption with exceptions because inevitably that means privacy and due process with exceptions.