The EARN-IT Act

Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes:

The EARN IT Act would create a "National Commission on Online Child Sexual Exploitation Prevention" tasked with developing "best practices" for owners of Internet platforms to "prevent, reduce, and respond" to child exploitation. But far from mere recommendations, those "best practices" would be approved by Congress as legal requirements: if a platform failed to adhere to them, it would lose essential legal protections for free speech.

It's easy to predict how Attorney General William Barr would use that power: to break encryption. He's said over and over that he thinks the "best practice" is to force encrypted messaging systems to give law enforcement access to our private conversations. The Graham-Blumenthal bill would finally give Barr the power to demand that tech companies obey him or face serious repercussions, including both civil and criminal liability. Such a demand would put encryption providers like WhatsApp and Signal in an awful conundrum: either face the possibility of losing everything in a single lawsuit or knowingly undermine their users' security, making all of us more vulnerable to online criminals.

Matthew Green has a long explanation of the bill and its effects:

The new bill, out of Lindsey Graham's Judiciary committee, is designed to force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely. And given that we don't yet know how to solve the problem -- and the techniques to do it are basically at the research stage of R&D -- it's likely that "stop using encryption" is really the preferred goal.

EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct "best practices" for scanning their systems for CSAM.

Since there are no "best practices" in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.

So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn't come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they'll go bankrupt if they try to disobey this committee's recommendations.

It's the kind of bill you'd come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn't care.

Another criticism of the bill. Commentary by EPIC. Kinder analysis.

Sign a petition against this act.

Posted on March 13, 2020 at 6:20 AM • 55 Comments

Comments

metaschimaMarch 13, 2020 7:33 AM

I signed the petition and hope it will help stop the inevitable. As we've seen in recent times, if it's a bill to stop terrorism and child pornography then it will eventually pass in some form or other, whether it has anything remotely to do with those things or preventing them. In reality is purely about censorship, politics and power. As I've said before, it's best to prepare for the inevitable demise of strong encryption in favor of mass surveillance and oppression. What you really need is a very good cryptography-steganography scheme preferably not computer based, or on a locked down, air gapped or one-way networked computer. Of course there's plenty of potential exploits for these systems as well, and they're not very practical.

Sheilagh WongMarch 13, 2020 7:42 AM

The Four Horsemen of the Infocalypse has been used to justify government and corporate snooping for a couple of decades now. What's different now is the rapidly increasing value that data has to corporations and governments. The data collection is massive and the processing power exists now to analyze and manipulate it. Those with access to data have a tremendous advantage over those who don't. For an insight as to how valuable personal data is I suggest "Everybody Lies" by Seth Isaac Stephens-Davidowitz.

Anybody who advocates for privacy can expect accusations of pedophilia being lobed at them as those who have access to data are desperate to keep it.

Sancho_PMarch 13, 2020 8:29 AM

So what will happen if they can’t read/understand/comprehend what the provider gave them as the "treated by best practise" (= decrypted) content?

When they still can’t parse what I've sent to my buddy?
Is it the provider or Mr. Barr at fault?

Mitch FeiersteinMarch 13, 2020 8:46 AM

Given how integrated tech companies and banks is its worth also giving a thought to stability of financial system. As an example, my bank's systems and website is running on Amazon's cloud services (they confirmed this to me). Would you trust your bank if they improperly secure/encrypt your information/transactions? I doubt I will be able to. I think I'll be visiting my local ATM more often in the future as a result of this.

Undermining trust is a dangerous thing. Remember that.

RjMarch 13, 2020 8:53 AM

"...designed to force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely."

So the obvious answer (twas ever thus) is to encrypt your information with your own *TRULY* private key, using a separate air-gapped TEMPEST compliant computer, before you enter it onto such a provider's system. The statement above only forces *PROVIDERS*, not users, although I suspect that would change as soon as the legislative body realized that the user can do his own encryption. At that time, encryption would become illegal entirely, forcing an outer layer of steganography to hide the message entirely.

If you were a spy/government/military/criminal organization (interesting how they are all members of the same class here!), and really needed good secrecy, a better solution would be to set up a radio network so you did not need to depend on somebody else's network, using spread spectrum to make the transmissions covert (RF steganography), and because there are statistical algorithms to detect that spread spectrum signals are present, obfuscate the very RF emission location by ionospheric micro-meteorite scattering. That way, even if they could tell there was some spread spectrum activity, they could not localize it. Such scattering makes the signal seem to come down from the sky, thus looking like it is everywhere.

markMarch 13, 2020 10:21 AM

Amazing they can put their heads together to come up with this but they can't figure out how to lower prescription costs for my mom. All the articles I have read on this subject talk about messaging apps through a provider like Facebook, Google etc. These are large centralized platforms that store your data. Would this bill affect decentralized services? messenger apps done over blockchain are decentralized. There is no one location to get your data and you have the keys. The encryption can be done on the device not by a provider and is sent directly to the receiver and decrypted on the receivers device. There is no mention of email either. Would encrypted email be targeted? The way I understand it is the encryption they are talking about is strictly for messaging apps on platforms. Can anyone else weigh in on this ? would blockchain be a way around this ?

Yet Another Sockless PuppetMarch 13, 2020 10:34 AM

Perhaps if humanity keeps going down this foolish road more of us will become poets..."Motive for Metaphor" and all in the presence of a "dominant X"... The Soviet Union, afterall, produced many excellent poets. Future generations (if there are any) might thank us.

gordoMarch 13, 2020 11:09 AM

The EARN IT Act: A Very Bad Bill Gets its Day in Congress
Press Release, Free Press Action, March 11, 2020

[T]he legislation would open a door to online-content screening by a governmental commission serving under U.S. Attorney General William Barr.


[ . . . ]

If passed, the legislation would charge a new congressionally appointed commission with the development of “best practices” that all websites, applications, broadband providers and other online entities could follow to avoid liability for what the bill describes as “online child sexual abuse material” posted on their sites or sent over their services by third parties. Failure to certify compliance with these best practices could remove immunity under Section 230 of the Communications Act and expose online entities to state criminal prosecution and civil suits for content they did not themselves create.

https://www.freepress.net/news/press-releases/earn-it-act-very-bad-bill-gets-its-day-congress

Daniel JoubertMarch 13, 2020 12:12 PM

I think they may reconsider if they become the victim of their own bill.

Michel BouckaertMarch 13, 2020 12:20 PM

Section 230 is about privacy, and if a Service does not comply with Best Practices tham it loses that protection.

Now let the politics play their role.

If the Service is, say, a Bank:
(a) It probably doesn't care about S230
(b) If it does it will use "legal bribes" a.k.a. lobbying to exempt itself.
(c_ If the intent is to go after ISP, they's better be able to show that they cannot possibly retain any data that passes through their pipes (even if NSA has the technology deployed)

So the only Services that are affected are free-form, undefined-business-purpose communications; the affected services would have to be

(b) US-based
(c) Public

IMHO the main target is Farcebook and I am not necessarily disapproving that


I see opportunities for non-US-based services and for tools like Diaspora.

Next step will be to make VPNs illegal; but that might take some time

hewhoshallnotbenamedMarch 13, 2020 12:38 PM

This is happening because the tech community refuses to work with law enforcement -- because techies are largely in favor of child porn, drugs sold, and Islamist actions conducted over the Internet. All techies do is complain about how breaking encryption is bad, which is certainly true, and stop there. There are other ways that law enforcement could monitor suspects over the Internet, with one example being key escrows, and the tech community could counter with mandatory improvements to FISA courts and other safeguards for human rights. But now you might get this shoved up your port.

ChrisMarch 13, 2020 1:53 PM

So let me see if I understand this correctly.
American companies need to comply to do all they can to stop kiddieporn. And if not they loose their license...

First of all "all they can" is littlebit difficult to define, so that allready should ring some alarmbells

Second, all that happens is that all those American companies moves to lets see, Canada perhaps...

Or any other of the 200+ plus countries that doesnt belong to US jurisdiction and eeeeh then what..

Did it stop the kiddieporn, nope, did it do good for American companies, nope.
What did it do, well you tell me -

I can see that the future for American companies looks grim in the tech sector, who thought this out ?
Must be someone really clever...
Jeesxx

--

myliitMarch 13, 2020 2:41 PM

Besides Hayden, formerly at CIA and NSA, does anybody know of other spooks or military intelligence personnel, or ex, who think encryption is a net plus, even with the 4 horseman of the apocalypse [1].

I wonder what former FBI Comey and McCabe think about relatively secure communications now.

Perhaps we need former spooks and leos to forcefully advocate against this legislation.

[1] terrorists, child pornographers, money launderers, and drug dealers, I think

hewhoshallnotbenamedMarch 13, 2020 2:53 PM

@mark "they can't figure out how to lower prescription costs for my mom"

Sure they have. Far in excess of 80% of drug components come from China and India, countries not known for clean water or honesty. Almost all aspirin, acetaminophen, and ibuprofen come from China. Most vitamins come from China. Not to mention face masks. And drugs from China (e.g. heparin) and India (anything from Ranbaxy) often have serious quality control issues. The problem is that you want Western quality at Walmart prices; good luck with that. Read "Bottle of Lies" and "China Rx" for details.


@Michel Bouckaert "Section 230 is about privacy"

Section 230 is all about Silicon Valley companies being allowed to evade local laws, transferring large amounts of loot from local communities to the pockets of CEOs and shareholders. Facebook and other Silicon Valley entities make plenty of money, sufficient to ensure that comments and content are within guidelines. Section 230 led directly to revenge porn and the complete loss of privacy. Section 230 should be repealed, but it won't because Ayn Rand groupies control much of politics and corporate America.

Yet Another Sockless PupppetMarch 13, 2020 4:06 PM

@rj
"So the obvious answer (twas ever thus) is to encrypt your information with your own *TRULY* private key, using a separate air-gapped TEMPEST compliant computer, before you enter it onto such a provider's system.'

Or better yet, as @Clive often admonishes, to "energy gap" the encryption, ie, pencil it yourself using an OTP in such a way that you leak no light, sound, etc signals.

That's a bit onerous if you are trying to communicate with more than one interlocutor. I'll probably stick to poetry myself.

Plus it is really hard to avoid leaking sound signals. Ever see "Blowout" (A 70s B movie-ing of "Blow Up")? And the tech for long-range, super-sensitive mics has been available for far longer than that,

Our routers can listen to our heartbeats for emotional states or to our key stroke distances for passwords for goodness sake! If you think you can disable all the mics, there's always the echo or smartphone next door.

And if neuralink et al keep having their regulatory way, soon we will have to worry about what information our brainwave signals might leak.

Evolution gave us a pretty good faraday cage (the skull) and a noisy enough channel in and out of there (language); why on earth would we want to breach that?

Year after year my outrage meter keeps getting reset on a logarithmic scale. Time to go out and smell the rose is a rose is a roses (or gather their buds while I may)

"obfuscate the very RF emission location by ionospheric micro-meteorite scattering"

Endpoints, or at least originating endpoint, my man:)

Jesse ThompsonMarch 13, 2020 5:54 PM

@hewhoshallnotbenamed

The problem is that you want Western quality at Walmart prices; good luck with that. Read "Bottle of Lies" and "China Rx" for details.

Yes, we do. Because if it's not at Wal-Mart prices, many of the people in the greatest need literally cannot afford it.

So to be perfectly honest, I'm a lot happier with inexpensive, generic medications that allow me to keep on living despite the problems that you allege with "quality control" than I am with "no meds at all, please leave enough room on the couch for me to lay down and die".

Isn't it funny how many of the wealthy practice "medical tourism"? Some people happily chant "rah rah USA" as long as they personally aren't the ones who need some kind of help from literally any outside source.

In the meantime, the rest of us "techies" can actually recognize a systemic problem when we see it and call a spade a spade.

Jonathan WilsonMarch 13, 2020 6:51 PM

Here is another article on EARN-IT that says its not as bad for encryption as everyone says it is (although its still very bad)
https://www.lawfareblog.com/earn-it-act-raises-good-questions-about-end-end-encryption

There are some other related articles on that blog as well.

The real question is why its necessary. S220 of the CDA already allows federal criminal actions (which child pornography distribution most certainly is) to be carried out and doesn't give websites any immunity from those. And there is no evidence that I have seen to suggest that the feds have had any issues busting kiddie fiddlers or stopping the distribution of child pornography because websites have tried to hide behind S220 or otherwise not cooperated.

Remember that there have been no actions taken under the law around sex trafficking (FOSTA/SESTA) as of yet with Backpage and other sites shut down using existing laws.

Clive RobinsonMarch 13, 2020 7:53 PM

@ Jonathan Wilson,

Here is another article on EARN-IT that says its not as bad for encryption as everyone says it is

I wish people would stop touting the "lawfareblog" because it's becoming like "brightbart for the establishment crowd".

The last dozen or more of their articles I have read show significant bias pushing very close to falsehoods in one way or another with "opinions couched as truths" and all sorts of other little nasties to worm into your brain.

In short the old advice of,

    If you are going to read the newspaper, first learn to read the newspaper

Is very much true of the lawfareblog, they have become increasingly appologists for the more draconian parts of the establishment. People realy should realise that the writers "realy try hard to put squirrels in peoples heads". They do this by making things that are logical, sensible and straight forward look like they are anything but, and therefore not as it appears to be, but something that is realy the equivalent not of the "bear trap" it is, but some "milk and honey in the promised land" benign fairy tail...

So it's not at all surprising to see that the article is from one of the worst offenders when it comes to actually pushing not toeing the "anti-encryption" line who has been subject to quite a bit of rightfull villification on this blog befor. That is it is non other than ex-NSA general counsle and advocate of weasle wording for lying to congress Mr Stewart Baker...

The only place he should realy be given house room is in the "snake pit".

gordoMarch 13, 2020 8:06 PM

THE EARN IT ACT: HOW TO BAN END-TO-END ENCRYPTION WITHOUT ACTUALLY BANNING IT
By Riana Pfefferkorn on January 30, 2020

The story so far:


In the ‘90s the Internet was created.

This has made a lot of people very angry and been widely regarded as a bad move.

(with apologies to Douglas Adams)[1]

There’s a new bill afoot in Congress called the EARN IT Act. A “discussion draft” released by Bloomberg is available as a PDF here. This bill is trying to convert your anger at Big Tech into law enforcement’s long-desired dream of banning strong encryption. It is a bait-and-switch. Don’t fall for it. I’m going to explain where it came from, why it’s happening now, why it’s such an underhanded trick, and why it will not work for its stated purpose. And I’m only going to barely scratch the surface of the many, many problems with the bill.

https://cyberlaw.stanford.edu/blog/2020/01/earn-it-act-how-ban-end-end-encryption-without-actually-banning-it

DavidMarch 14, 2020 2:14 AM

Tough for the tech company executives when they get a death sentence for spying from one of many countries in the rest of the world

JBBMarch 14, 2020 6:51 AM

I have a suggestion/question. You won't like it. :)

Come up with a way to encrypt messages with an intentional, keyed, computationally very expensive way of decrypting the message alongside the computationally less expensive method if you have the private key.

Give the backdoor key to law enforcement. Make it so ridiculously expensive that they'll only use it when they have to, pointless to attempt to decrypt everything.

Okay, I still agree with the backdoored-decryption-is-no-encryption position.

Clive RobinsonMarch 14, 2020 8:21 AM

@ Yet Another Sockless Pupppet,

Or better yet, as @Clive often admonishes, to "energy gap" the encryption, ie, pencil it yourself using an OTP in such a way that you leak no light, sound, etc signals.

I have said the OTP using pencil and paper and a little discipline is a secure "Hand Cipher" which is also about the simplest hand cipher to learn how to use. Also that it's not dependent on any technology that can be backdoored, or easily evesdropped on remotely and that it will also work with any "human interface" at any communications end point, which some technological solutions may well not (or on which further down).

Importantly I've also made the point it is a "simple example" to get people to understand the idea about where the "communications end point" is and where the "security end point" is, and how they should be kept seperated via a suitable "energy gap".

Because I've also noted as you have,

That's a bit onerous if you are trying to communicate with more than one interlocutor.

Specifically in the Keying Material (KeyMat) Key Managment (KeyMan), where Key Generation (KeyGen) and Key Distribution (KeyDist) the required secure storage and all the process auditing is a mountain of work at the best of times. That is the OTP in it's true form "moves the problem" from one place in the "system" to another.

However I have talked about the use of various Crypto Secure Digital Random Bit Generators (CS-DRBG). Back in the 1990's I used a variation of RC4 and BBS in a "card shuffling" and "waggon wheel" configuration. Whilst it's still secure for what it was designed to do, I would not use it for "Generating Pads" with these days. Times have moved on and so have algorithms, so using two or more of the "AES finalists" in a variation of "counter mode" and a "mixing function" along with BBS would be more appropriate these days. Which obviously needs some "computing grunt" which would be in a seperate "device" or "secure token".

If you dig up my comments about "authenticating transactions not communications channels" going back to the last century you will find I've talked on a number of occasions about "secure tokens" and some of the issues involved with trying to make them usable in human terms, whilst trying to keep them secure, part of which is always "putting the human in the chain" as a kind of "choke point".

The reason for this is, whilst it's easy enough to design a keyboard and display system on a "secure token" that you can use as easily as a smallish mobile phone, the real usabiliry problem is getting the various plain/cipher texts in and out of the device into the communications channel end point device without compromising the "secure token" by extending the communications channel into it via a side channel of some form...

To see why this can happen you have to dig down to the lowest of the electrical physical channels and thats a "simple circuit" to see how it and all systems built on it can be compromised[0].

It's been variously pointed out over the decades that RS232 serial through to full on USB these days can "just be plugged in" however few when making these suggestions realise just what nasties could also "go across the wire" and in how many ways, thus how difficult it is to prevent (hence mitigation by "energy gap").

For instance take what most call RS232 as a short hand[1], it has the basic Shannon Channels of,

1, Local Tx to Remote Rx
2, Local Rx from Remote Tx

That "work against a common ground" thus you get a "two wire" as a minimum for unidirectional data to "three wire" for bidirectional data, and five wire when you add "hardware flow control" (CTS and RTS circuits).

But then there are a whole load of other hardware level Shannon Channels for "signaling" including in some cases "break" on the basic Tx-Rx channels. The standard calls the twenty Shannon Channels it has "circuits" to emphasize that they are physical wires and electrical voltages not any waveforms that convey other signalling or information. Few realise the standard alows for a secondary set of bidirectional communications circuits, data clocks, circuit direction changing as well as "loopback" testing.

The point is that these twenty basic circuits can all carry information thus can form "side channels" that work "out of band" of the assumed data channel (Tx-Rx circuits). Likewise other protocols used as standard like ASCII define "in band" control sequences that can also be used as Shannon Channels to carry information overtly or covertly.

An example of such a covert channel that many ICTsec practitioners are aware of is seen in computer networking with secret "knock codes"[2] to open up ports that would normally be closed. However even several millennia ago Knock Codes developed into "Prisoner Codes" where by two people could pass information backwards and forwards through dungeon walls etc simply by tapping.

So when using an external token it's undesirable from a security asspect to make a connection you can not see "covert channels" on, that could be leaking secret information "on demand" rather than all the time.

I could go on further but, hopefully people that have read this far, get the idea of just how difficult stopping side channels can be[3].

[0] A "simple circuit" is a wire and some kind of return path (usually but by no means always a "ground" or "common" return). You put a "Transmitter" (Tx) at one end (eg a battery and switch/key) and a "Receiver" (Rx) at the other (eg a buzzer or lamp). Such an electrical circuit, from an "Information theoretic" view point, is a basic "Shannon Channel". By simple observation it can be seen that such a "simple circuit" has absolutly no security properties what so ever. That is if you want to make a secure circuit there are a minimum number of physical and information theoretical additions you have to make. Such additions are by no means perfect individually, thus you need to have multiple additions. However the problem is between each addition there are numerous security gaps of many forms which can result in any number of "side channels" that can carry information (see "phantom circuit" "party line" phones as one). That is whilst your wire may be just used by you for "Direct Current" (DC) signalling it can carry not just DC but also "Alternating Current" (AC) of various frequencies 'from DC to near Daylight' that cover the "Electromagnetic" (EM) spectrum as well as mechanical vibrations at audio and above frequencies. All such "energy" can have "information impressed" or "modulated" on to it in various ways not least of which is capacitive or inductive coupling that gives "cross-talk" on long lengths of cables that run in parallel, which is why "individual circuit pairs" are frequently made as "twisted pairs" to try and canncel cross talk from adjacent circuit pairs out (see a piece of Cat 5 UTP network cable).

[1] What most call RS232 is in fact a collection of entirely seperate standards that are frequently but not exclusively used together. The actual RS-232 standard defines connectors, and Data and signaling "circuits" including their basic electrical standards (grounding, voltages, slew rate and thus cable capacitance limits). But not how the circuits are used in terms of signaling rates/frequencies, or character sets/types/function and any error correction or framing.

[2] Just how old "Knock Codes" are is unknown but there are records of them being used going back several thousand years amongst "secret societies" and those in illicit activities, it's even mentioned in Vatsyayana Mallanaga's compendium on "life arts" the "Kama Sutra" from around two thousand years ago. The Knock Code most will have heard is the "Shave and a haircut" used in amongst other things cartoons. Knock Codes act like a password to authenticate people so they could gain admittance or give warning (early "duress code" etc). Computer network knock codes work in a similar way, you send a series of requests to one or more network port numbers, a script running on the remote computer will then enable say the SSH port for say a minute to enable you to log in then use another "secret command" script to keep the port open, otherwise the script times out and the SSH port gets disabled again. The idea was to reduce issues from "script kiddies" first "port scanning" then trying to "brut force" entry thus clogging up logs and resources.

[3] I've also mentioned in the past that there are various "end run attacks" an adversary can use even against pencil and paper OTPs and other hand ciphers. The simplest is a covert CCTV camera overlooking your "usuall work space", so don't have one and move to different places randomly. Remember a web-cam in the screen edge of a laptop will see quite a bit, thus working in another room would be sensible. But laptops like mobile phones also have microphones and your writing style may leak information, so remember to leave them in another room and shut the doors as well. But also laptops have WiFi etc this can be used as a form of passive radar that can "see" the movment of you pencil even through quite solid looking walls cellings and floors. If you look back on this blog I've described a number of times in the past how to design and build an "RF Cage/room" that you can add sound insulation to and rubber shock mountings to turn it into a home SCIF. However having a permanent home SCIF will raise suspicions in anyone who sees it, which is why I've also indicated how you can use common household objects that are not in any way suspicious to quickly build a temporary enclosed space that is shielded and uses "active" techniques to make surveillance harder.

A Nonny BunnyMarch 14, 2020 8:21 AM

@JBB

I actually do like the basic concept of making it possible but extremely costly for law enforcement to break encrypted messages. It fits with my thinking that there has to be a balance between policing being easy enough to keep crime down to acceptable levels, and difficult enough so they can't keep us all down.

But one likely issue is that what is computationally costly now, will be cheap in a few years. And I don't want them to look at my private messages from five years ago without a very good reason and a correspondingly high cost.

That's why I think a cost in manpower is probably better than a computational cost. Let them work for it. We know they can do it, because they do get in the news with the occasional successes.

Sancho_PMarch 14, 2020 8:48 AM

@A Nonny Bunny

I don’t understand how you’d differentiate between manpower and computational costs. And it’s always wasting our money.

However, I can’t stand any clandestine activity in my belongings.
I don’t care if done by the “the good ones” or other criminals.
If they want to know they have to tell me, the owner, first.
They’ve got the metadata, that’s enough, if not too much already.

tfbMarch 14, 2020 11:31 AM

If someone provided an app which dealt with the whole send-data-over-the-network-to-specified-other-app-users thing (with no encryption at all but possibly some verification) which included as part of itself, say, a Python (or JS) interpreter with a bunch of libraries and a way of getting code into the app's sandbox, that would be interesting. I realise rolling your own encryption is bad but someone might post properly-written-and-tested code on github or something.

Obviously this is not the ultra-careful airgapped solution but statistically no-one will use that.

(There is already precedent for apps with Python &/or JS runtimes in them which are user-accessible on iOS, anyway: so long as it's sandboxed properly I think it meets app-store guidelines. You could really only prevent such a thing legally by outlawing general-purpose computing.)

A Nonny BunnyMarch 14, 2020 3:11 PM

@Sancho_P

I don’t understand how you’d differentiate between manpower and computational costs.
I suppose it's not always a clear distinction. But as far as cracking encryption goes, computation is clearly a big factor, and Moore's law suggests it gets exponentially cheaper in time.
Real investigative work on the other hand seems to me much less subject to Moore's law, limited instead by the number of investigators. Without easy access to everyone's communications, they have to collect evidence the hard way. Like following the money, and infiltrating criminal groups, taking over dark web servers etc.

And it’s always wasting our money.
Well, yes. But I don't really see an alternative. It's what we get for being an imperfect species. For society to function you need to keep criminals and other bad actors at bay. But you also don't want the institutions charged with that task to get out of control and ruin society in a different way. So you encumber them with rules and regulations and limited resources. It makes them less efficient and effective, but also less dangerous to society.
They’ve got the metadata, that’s enough, if not too much already.
Unless they have reasonable suspicion and a warrant, I'd say it's too much. I don't like their underlying assumption that everyone's a suspect.

Clive RobinsonMarch 14, 2020 4:48 PM

@ tfb,

You could really only prevent such a thing legally by outlawing general-purpose computing.

Why do it by a legislative ban?

After all as you note with your preceading,

so long as it's sandboxed properly I think it meets app-store guidelines.

So what need to go with legislation when you just have to lean on those who realy own your phones and smart devices?

That's the real point, whilst you can download a programing language like Python onto your "Smart Device" try doing something actually usefull with it and you will find that the "sandbox" of permissions makes it little more than a novelty for just about every one. The reason being you might just find a way to "root your device" and that is very much "VERBOTEN" by the OS designers, device manufacturers and service providers, as you might not "Render unto Ceaser..."

There is a prise to pay with those "walled gardens", which always were in reality the lowest common denominator of a "Canary cage and Opium den".

Freedom at the end of the day only happens when you yourself, not others take responsability for your safety.

Sancho_PMarch 14, 2020 7:10 PM

@A Nonny Bunny

I guess our thinking isn’t too different.

Cracking unknown (strong, moving) encryption was and will be always a costly endeavour in time and manpower, impossible for surveillance of millions of messages per day.
This is why they want the ”easy access to everyone's communications”

- Again, I don’t want a clandestine access to my (our) belongings.
Similar: Instead of hidden radar boxes (and police writing memos in the office) I’d rather want to see them on the street, visible to everyone.
This is to deter wrongdoing before the deed.

That in mind, the next step led to my first posting here in this thread:

”So what will happen if they can’t read/understand/comprehend what the provider gave them as the "treated by best practise" (= decrypted) content?

When they still can’t parse what I've sent to my buddy?
Is it the provider or Mr. Barr at fault?”

Will they attempt to make it unlawful to send gibberish?
What is gibberish, message, encrypted, plaintext?

I’m serious, we (better: they) must discuss the next step before the first!

Jim BrownMarch 14, 2020 7:11 PM

@hewhoshallnotbenamed

This is happening because the tech community refuses to work with law enforcement because techies are largely in favor of child porn, drugs sold, and Islamist actions conducted over the Internet.


“The state must declare the child to be the most precious treasure of the people. As long as the government is perceived as working for the benefit of the children, the people will happily endure almost any curtailment of liberty and almost any deprivation.”
― Adolf Hitler

You're in good company pal.

La AbejaMarch 14, 2020 7:40 PM

The EARN IT Act would create a "National Commission on Online Child Sexual Exploitation Prevention"

They're Catholic. They molest children and this is their plan to "earn" their way out of hell by treating the rest of us as registered sex offenders.

I am not Catholic, and I do not agree with the "religious" doctrines they are passing into law.

They take vows of poverty which allow them to keep nice homes and cars, etc. while they steal our coats in cold weather and force us out naked on the streets.

lurkerMarch 15, 2020 12:26 AM

@Sancho_P
Thirty years ago (nearly ?) when PGP first became the next new thing, I had a colleague who had a colleague, and these two would send each other gibberish plaintext both in the clear, and passed thru PGP. His explanation was "Ya gotta make the spooks earn their crust." Have we made any progress since then?

CuriousMarch 15, 2020 2:39 AM

@Jim Brown

As amusing as that quote seems, I tried to verify that quote on the internet but it seems that perhaps the authenticity of that quote is dubious at least. Presumably, that quote is false, or what I am thinking anyway.

I suppose the quote could be a true, but I checked the internet and there are indications that this quote isn't right.

jdgaltMarch 15, 2020 7:57 PM

Thank goodness my usual encrypted e-mail server is outside the US anyway.

And if authorities think they can ban VPNs, it'll just cause an arms race between VPNs making themselves undetectable and spooks finding new ways to detect them. With a lot more people working on the first side than the second. I don't like it but I'll play that game.

DFlow March 16, 2020 9:46 PM

I doubt this bill has anything to do with kiddie porn. That is just what they want you to believe. This is about people sharing music & movies and vpning into other countries to watch TV and get good programming and news. This is about commerce and making sure the rich corporations just get richer just like getting rid of net neutrality. My internet bill has gone up $30 per month since net neutrality was struck down. The government is all about smoke and mirrors, just like calling this the earn-it act makes it sound like it has to do with people earning something, and they are trying to sneak it in during the corona virus. You can always count on the government to do something against the public during some kind of public emergency while the public is distracted.

DCMarch 17, 2020 3:41 AM

guys - THIS is democracy as we know it. I mean, not like it should be, but hey ...

the only difference to north-corea is that in NC you know who to blame. here in the US it's organized irresponsibility.

cheers

we should consider leaving

Hegel SmithMarch 17, 2020 11:42 AM

The hilarious thing about this is police departments already had the evidence they needed to lock up a predator like Epstein, but they were corrupt enough to sweep it under the rug.

Garrett HopkinsMarch 17, 2020 4:46 PM

As much as I dislike the idea of endangering data encryption, the most glaring issue in what I’ve read here is that the “best practice” is determined by a group of people that may have ZERO experience in the field. If this act was to be passed, it would need to force the consulting of MANY data science experts and representatives of large companies before making any decision regarding the process of searching through data, and how to retrieve certain suspect bits.

Ian Greenhoe March 17, 2020 5:58 PM

If this gets put in place, it becomes the next big target for any sort of cyber criminal or foreign nation state. China will have the keys inside of a week, and they will cheerfully use it to further attack the US.

ISuckDickForALivingMarch 17, 2020 6:03 PM

This whole thing reeks of bullshit. Anyone trying to undermine the people's interest due to the pandemic doesn't have the countries best interests at heart.

stellaMarch 18, 2020 3:40 PM

Everyone that's whining about this should remember that the only damage it will do is to large corporations that currently hoard all of the data and control all the platforms on the Internet.

I'm in favor of anything that disrupts the FANG business model, even if it's ham-handed, unethical, unconstitional, violates your "patriotic" sensibilities, etc.

Because in the end, this is the kind of pressure that will force the Internet to become decentralized. When it is no longer possible to post what you want on Facebook, Instagram, YouTube or some other FANG platform, people will go to alt-tech, or even the darknet. You already see some of this with platforms like Mastodon, Diaspora, Bitchute etc. -- but they are currently very small.

So if FANG is hamstrung, that is a good thing. You can prevent corporations from using encryption, but you can't prevent people from doing whatever they want on the darknet, including using encryption. And also, you can't advertise to to them, collect their data, etc.

The current Internet topology and business models need to die. If "bad" policy like this helps them die, I'm all for it.

VictorMarch 19, 2020 8:44 AM

I took action - you can too.
I used the eff action link on this page..
https://www.eff.org/deeplinks/2020/03/graham-blumenthal-bill-attack-online-speech-and-security
What should I do next???
Below is what I wrote in addition to the templated EFF message.
It took me 5 minutes. What will you do to take action to preserve your sovereign rights?
>>
Dear Sir or Madam,
I opted into this templated communication to make it easier for me to reach you.
I support the templated message below, but moreover I strongly believe that this is a HUMAN RIGHTS issue.
I - not as a citizen - but as a human being am endowed with certain unalienable rights.
This bill threatens to wipe away my sovereign right to my own thoughts, by which my right to pursue happiness arises.
The United States Legislature's proposals for EARN-IT attemp to create backdoors or otherwise circumvent data encryption methods.
It is tantamount to tapping our telephones, snooping our mail, and having the Big Brother screen-on-the-wall.
The United States stands for nothing less than the preservation of fundamental human rights.
This legislation would be yet one MORE step beyond the PATRIOT act towards eroding the founding principles of our nation.
I DEMAND not request that you as our duly appointed and elected representative do everything in your power to REJECT this criminal and subversive legislation despite the transparently cynical political tactic this legislations supporters have adopted by wrapping themselves in the mantle of 'protecting the children.'
We are the UNITED STATES for god sake!
Respectfully your constituent,
Victor (+ other personally identifiable info including full name and contact info)

Erdem MemisyaziciMarch 19, 2020 5:38 PM

Looks like my camel and the tent story got deleted so I'll refer to the horsemen. Terrorists! Think of the children! It's been the same damn story for the last two decades to make encryption illegal. First there were talks about the clipper chip, then Snowden revelations, and now people just straight up forgot I guess that encryption is a right and no, government can't sweep up your documents en masse. It always ends up being okay, there is encryption but you have to use *this* elliptic curve to generate random numbers. That's the camel wanting to put just its head in tour tent. Now it's straight up, we want open access to your house. Yup. No shame.

LukeMarch 19, 2020 10:51 PM

This is terrible this would leave everyone vulnerable to hacking and nnot to mention the privacy concerns

name.withheld.for.obvious.reasonsMarch 22, 2020 10:59 AM

How about a counter-bill, offered by citizens...

Senators Thinking Information Connotes Knowledge--Idiot Twa!?

name.withheld.for.obvious.reasonsMarch 22, 2020 11:14 AM

Invidious you say? Why of course.

This is about "pre-censorship". Realtime or near-realtime (

"Oh yeah, we could do that if...", said an unnamed Facebook (Arsebook) executive."

name.withheld.for.obvious.reasonsMarch 22, 2020 11:21 AM

Wow, not more surreal (esp. when by own hand).

The opening parenthesis followed by a regular expression...my bad.

This is about "pre-censorship". Realtime or near-realtime (less than 10msec) interrupt service (oops wrong context) of online content.

Clive RobinsonMarch 22, 2020 12:08 PM

@ NameWithheld...,

Senators Thinking Information Connotes Knowledge--Idiot Twa!?

+1 ;-)

But another ten if your were to say where? 0:)

name.withheld.for.obvious.reasonsMarch 22, 2020 12:30 PM

@ Clive

I see your +10 and raise ya...ready?

Abolish Rhetorical Senatorial Edicts - Will Honouring Outlandish Legalise, Extemporaneously

Clive RobinsonMarch 22, 2020 5:19 PM

@ name.withheld...,

A well deserved ten points and a hat tip in your direction B-)

I'd watch out though I have a sneeky feeling a certains @Bong Smoking type will see this as a challenge 0:)

Edward SnowdMarch 25, 2020 10:30 PM

The answer to 1984, is 1776. If they want to start a new civil war, and let revolution and anarchy erupt from destroying our god given natural rights and civil liberties. Than let them.

Edward SnowdMarch 25, 2020 10:36 PM

The government has many other avenues to pursue for surveillance. They do not need to backdoor encryption. They just want to make things easier to censor and control the masses. This is a warning, Don't let them prevail.

- Anonymous

LainMarch 26, 2020 2:04 AM

Yet another attempt by the U.S. government to break encryption. It's always been their ultimate dream. Hopefully this one won't be successful.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.