Security news that informs and inspires

For Whom the Bill Tolls: Encryption

A new draft bill written by Sen. Lindsey Graham, which is ostensibly designed to prevent online child exploitation, could have the effect of giving a federal commission the ability to stop service and platform providers from employing end-to-end encryption.

The bill is currently in the discussion draft stage but experts who have analyzed it say that not only could it have a broad effect on the use of encryption, it likely would not even have the intended effect of stopping the spread of exploitation material. The EARN IT Act is meant to address this problem by having a commission of appointed experts create a set of best practices for service providers to follow in identifying and removing exploitation material from their platforms. The United States attorney general would chair the committee and would have the authority to change the best practices.

“The purpose of the Commission is to develop recommended best practices for providers of interactive computer services regarding the prevention of online 20 child exploitation conduct,” the new bill says.

The bill would place broad responsibility for identifying, classifying, and removing child exploitation material on the service providers, something that would be impossible for services that are deployed with end-to-end encryption. The creation, distribution, and possession of child exploitation material is already illegal under U.S. law, and there is a separate law, the Communications Decency Act (CDA), that contains a portion known as Section 230 that protects service providers from being held liable for what users say and do on their platforms. Also, the Communications Assistance for Law Enforcement (CALEA), which requires that telecom companies enable wiretaps, has an exemption for so-called “information services” such as email, messaging, and other applications.

The bill that Graham (R-S.C.) is proposing would require service providers to adhere to the best practices laid out by the new commission or else potentially lose the exemption they have under Section 230 of the CDA.

“The bill would, in effect, allow unaccountable commissioners to set best practices making it illegal for online service providers (for chat, email, cloud storage, etc.) to provide end-to-end encryption -- something it is currently 100% legal for them to do under existing federal law, specifically CALEA. That is, the bill would make providers liable under one law for exercising their legal rights under a different law,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, wrote in a deep analysis of the bill and its potential effects.

The most obvious effect would be on services such as Signal, WhatsApp, Apple iMessage, and others that provide end-to-end encrypted messaging. Because of the way those systems are built, the providers do not hold the keys to decrypt users’ messages, so they don’t have the ability to inspect messages for potentially abusive content. Although Graham’s bill--which also includes input from Sen. Richard Blumenthal (D-Conn.)--doesn’t explicitly mention encryption or specific services, the effects on those services would be extensive if they’re not able to comply with whatever best practices the commission develops.

“Crypto is really the elephant in the room for the Graham Blumenthal bill, it's a signal for Facebook and Signal to provide this method or be prepared to pay through the nose,” Pfefferkorn said during a talk at the Enigma conference earlier this week.

The other serious shortcoming with the bill, Pfefferkorn said, is that it won’t have the intended effect of curtailing the spread of child sexual abuse material ( CSAM), because much of that already occurs on private sites and services.

“The threat of losing Section 230 immunity will be scary to major tech companies such as Facebook that try in good faith to abide by federal CSAM law. But that threat will have no effect on the bad actors in the CSAM ecosystem: dark web sites devoted to CSAM, which already don’t usually qualify for Section 230 immunity because they have a direct hand in the illegal content on their sites,” Pfefferkorn wrote in her analysis.

The bill is still in the early stages, and these measures often change materially before they’re introduced. But, the U.S. government and law enforcement community have been pushing to weaken cryptosystems or limit their utility for more than 25 years, and this is just the latest link in that chain.