Pages

Search This Blog

Translate

Search Tool




Mar 12, 2020

Analysis | The Cybersecurity 202: Lawmakers, technologists fight over encryption in child exploitation bill

By Joseph Marks





Senate Judiciary Committee member Richard Blumenthal (D-Conn.). (Win McNamee/Getty Images)
THE KEY
A bipartisan bill aimed at curbing online child exploitation become ground zero yesterday in the battle over encryption, with each side accusing the other of acting in bad faith.
The dispute prompted by a Senate Judiciary Committee hearing demonstrates the vast gulf between advocates of super-strong encryption, who say it’s vital for cybersecurity, and law enforcement hawks who fear encrypted communications could give free rein to child predators and other criminals.  
The bill at issue, the EARN IT Act, would strip tech companies of liability protections when their users share child pornography and other materials that exploit children. It would also establish a 19-member commission to create rules companies can follow to earn back that liability shield.
Tech companies and cybersecurity experts fear that commission will require companies to give law enforcement special access to encrypted communications with a warrant. And they’re accusing lawmakers of using public revulsion at child exploitation to weaken protections that make the Internet safer for everyone.
Lawmakers, meanwhile, are accusing tech companies of using encryption as an excuse to avoid taking responsibility for criminal activity on their platforms.
“I think encryption is a red herring. It's a subterfuge,” Sen. Richard Blumenthal (D-Conn.), one of the bill’s lead sponsors, told me. “If we said we're going to prohibit any ban on [strong] encryption….they would have some other reason to oppose it.”
Tech companies’ real goal, Blumenthal charged, is not losing any portion of their liability shield — guaranteed by Section 230 of the Communications Decency Act — protecting them from being sued for anything users post on their sites. He characterized those protections as a relic of an earlier era when Internet companies needed special protections to innovate and thrive.
“The tech companies are so self-interested and self-absorbed that they're focusing on how their legal shield may be pierced rather than how they shield children from abuse and exploitation,” he said. 
Any recommendations from the commission — including any effort to weaken encryption — would require support from 14 of its 19 members, which will include Cabinet secretaries, technologists, law enforcement and sexual exploitation victims and their advocates. Those recommendations would also have to be approved in Congress.
Here’s more from Blumenthal on Twitter:
Cybersecurity experts, however, shot back that lawmakers were being disingenuous by not acknowledging the commission probably will target super-strong encryption, often called end-to-end encryption, which shields the contents of communications even from the platform people are communicating on.
They acknowledge end-to-end encryption makes it tougher for both companies and law enforcement to monitor possible child exploitation. But they argue weakening it would be far too damaging because any encryption back door designed for police could also be targeted by hackers.
“Basically, I see this as a cowardly measure to maintain plausible deniability that this is not about encryption,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told me.
“The message from Congress is ‘protect users, not too much, mostly kids,' ” she said, paraphrasing a diet credo by author Michael Pollan. 
Will Cathcart, who leads Facebook’s end-to-end encrypted WhatsApp messaging service, argued on Twitter that the EARN IT Act “has the potential to make people less safe, not more, by reducing the security of over 2 billion people.”
The online dating company Match Group, which owns Tinder, OkCupid and Match.com, testified in favor of the bill. The majority of tech companies oppose the bill, however. The Internet Association trade group, which represents many of the largest tech companies including Amazon, Facebook, Google and Microsoft, testified against it.
Even among lawmakers there was a split about how directly the bill might target encryption protections. 
During the hearing, Blumenthal said repeatedly that the EARN IT Act is “not an encryption bill.” He also noted that some platforms have made substantial progress combating material that exploits children despite using end-to-end encryption.
WhatsApp, for example, says it removes about 250,000 accounts each month that it suspects are sharing explicit photos of children based on digital signatures from known photos – even though it can't see the photos themselves.
Blumenthal is not willing, however, to include a measure in the bill that says encryption is off-limits in the proposed commission's recommendations, he told me.
“I doubt I am the best qualified person to decide what best practices should be," he said. “Better-qualified people to make these decisions will be represented on the commission. So, to ban or require one best practice or another [beforehand] I just think leads us down a very perilous road.”
Senate Judiciary Chairman Lindsey Graham (R-S.C.), however, criticized Facebook for planning to expand end-to-end encryption across its messaging services, warning the company will “go blind.”
“The bill is not about the encryption debate, but, the best business practices [the commission will recommend], I’m dying to find out what they should be," he said.
After the hearing he told reporters: “I’m very concerned about the idea of going blind. I’ve been told you can have encryption and still have reporting systems [and] I’m worried about terrorism. I’m worried about all that.”

PINGED, PATCHED, PWNED


Vice President Pence during a coronavirus news conference in Washington. (Stefani Reynolds/Bloomberg News)
PINGED:  Sen. Mark R. Warner (D-Va.) is calling on the White House and a task force led by Vice President Pence to increase efforts to combat online misinformation about the coronavirus amid a slew of reports about phony cures and conspiracy theories. 
Warner is urging the coronavirus task force to develop a comprehensive strategy to counter misinformation, including campaigns by Russia and other foreign actors. Cybersecurity companies have also identified numerous hacking scams tied to phony information about the virus aimed at stealing people’s personal information.
Warner also slammed President Trump for “injudicious and false statements” about the virus that contradict the advice of his administration's own health experts and could “legitimize already widespread online misinformation.”
Pence's office did not respond to a request for comment.
The White House, meanwhile, is asking large tech companies to help it combat misinformation about the coronavirus and to track its spread, my colleague Tony Romm reports.
The European Union is also reviving an alliance with U.S. tech firms to rapidly alert about misinformation in light of the virus, the Wall Street Journal’s Valentina Pop reports.

The Department of Homeland Security. (Jason Redmond/AFP/Getty Images)
PATCHED: A  bill that would give the Department of Homeland Security subpoena power to force Internet companies to share the names of organizations that are vulnerable to hacking is one step closer to law after it was passed yesterday by the Senate Homeland Security Committee.  
Top DHS cybersecurity official Chris Krebs praised the victory on Twitter, calling the legislation “critical” to the agency's mission.
The bill, which was passed by the House Homeland Security Committee in January, could still face some roadblocks before becoming law. Some cybersecurity experts have criticized it for potentially giving DHS the power to snoop on companies and bully them into adopting digital protections.

Attendees check their smartphone devices near a 5G sign. (Simon Dawson/Bloomberg News)
PWNED: A bill that would mandate a top-to-bottom security review of the United States’s next-generation 5G wireless networks cybersecurity is on its way to the president’s desk after unanimous passage in the House. The bill passed the Senate last week.
The Secure 5G and Beyond Act of 2020 comes amid widespread concern about Chinese spying on 5G networks and after the Trump administration already banned the Chinese telecom Huawei from building U.S. networks. It calls on the Trump administration to come up with a comprehensive security plan to protect U.S. mobile technology companies from Chinese espionage within 180 days as well as a list of “trusted suppliers” for 5G equipment.
“It is long past time that the Trump Administration prepare our networks for the 5G future — this bill will force the Administration to do exactly that and ensure federal agencies work together on a comprehensive plan to secure 5G,” Energy and Commerce Committee Chairman Rep. Frank Pallone Jr. (D-N.J.) and communications and technology subcommittee Chairman Mike Doyle (D-Pa.) said in a statement.

PUBLIC KEY

Cybersecurity news from the public sector:
Exclusive: The draft order cites Chinese-manufactured drones as a national security threat.
TechCrunch
The bill won support from GOP lawmakers angry about the monitoring of Carter Page and Democrats seeking privacy safeguards.
Ellen Nakashima and Mike DeBonis
The former Army intelligence analyst who leaked hundreds of thousands of documents to WikiLeaks was hospitalized days before a hearing as she seeks release from civil confinement for refusing to testify to a grand jury investigating the anti-secrecy website.
Clarence Williams
Sen. Jerry Moran (R-Kan.) is planning to introduce a bill Thursday that will require the Federal Trade Commission to appoint at least 440 additional workers to oversee privacy and security, pre-empt most state and local privacy laws and mandate that companies solicit affirmative consent from users before collecting and sharing personal information about them.
Morning Consult
The bipartisan leaders of the House Homeland Security Committee on Wednesday sharply criticized the proposed drop in funding in President Trump’s budget for the Department of Homeland Security’s cyber agency.
The Hill

PRIVATE KEY

Cybersecurity news from the private sector:
Comcast made the same mistake once before and had to pay $33 million.
Ars Technica
"It is the world we are in today, and so have to deal with it," former FBI general counsel Jim Baker said about device encryption.
Vice

THE NEW WILD WEST

Cybersecurity news from abroad:
External hard drives stored all donor data from February 1998 to June 2010.
ZDNet

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.