By Joseph Marks
Senate Judiciary Committee Chairman Lindsey O. Graham (R-S
Congress should abandon a new bill that could be used to roll back encryption as part of an effort to combat the spread of online child pornography, according to an overwhelming majority of
About 85 percent of our standing panel of experts called the bill, dubbed the EARN IT Act, a bad idea.
“The EARN IT Act would cause great harm to the open Internet and put everyday Americans at greater risk — creating problems rather than offering a solution,” said Heather West, head of policy for the Americas at the nonprofit Internet company Mozilla.
The Cybersecurity 202 Network, first launched in 2018, comprises more than 100
The EARN IT Act would strip tech companies of their prized liability protections for what users share on their platforms, unless they follow rules designed by a new government task force — which experts fear would require companies to give law enforcement special access to encrypted communications.
Network experts warned that such a move would make hundreds of millions of people more vulnerable to hacking — and probably wouldn’t even accomplish its main goal of preventing online child exploitation.
“The EARN IT bill not only will fail
The bill's sponsors, Sens. Lindsey Graham (R-S
Experts charged, however, that the bill was designed so that weakening encryption would be the inevitable result.
"This bill… is clearly a ‘backdoor to a backdoor’ to encryption,” said Riana Pfefferkorn, associate director of surveillance and
Whitney Merrill, a former Federal Trade Commission attorney, called it “encryption backdoor legislation in disguise” and warned that “while there's no mention of ‘encryption’ in the bill, there is no possible way to do what the bill requires without undermining end-to-end encryption,” a technical term for encrypted communications that can’t be viewed even by the company providing the messaging service.
“The bill is targeted at child exploitation only as a means of achieving the broader goal of government surveillance generally,” said Paul Rosenzweig, a top Department of Homeland Security official during the George W. Bush administration who now runs Red Branch Consulting.
Other experts lashed out at the idea of the U.S.
“Making it easier to combat child exploitation is the right idea," said Scott Montgomery, vice president and chief technical strategist at McAfee. "However, giving Attorney General Barr (or any single AG) oversight of a committee weighing a nebulous ‘best practices' list
The fact the bill puts Barr at the head of the task
“While you can’t argue that the issue of online child sexual exploitation should be addressed through legislation, it’s politically underhanded to use this sensitive public safety issue as subterfuge to advance an issue they’ve been otherwise unsuccessful in achieving,” said Weatherford, who’s now a global information security strategist at Booking Holdings.
Some experts also warned the bill could result in much broader access to encrypted communications for law enforcement even when child pornography is not the main concern.
“It pushes toward an Internet where the law
Joe Hall, senior vice president
And if the government gains special access to encrypted communications with a warrant, there’s no guarantee hackers won’t steal that access and use it to swipe users' personal information, warned Jake Williams, a former National Security Agency hacker and founder of the
“The government has shown time and time again that they can't protect classified information from access (and even release) by unauthorized parties,” he said, pointing to two prominent leaks of secret hacking tools from the NSA and CIA that proved devastating for the agencies.
“To think the government can (or will) do any better with encryption
“Experts agree that
And even if the bill does result in weaker encryption in products from U.S.
“Put simply, the EARN IT bill would mandate faulty encryption for Americans, while strong encryption would still be easily available to anyone intelligent enough to download their application from, for example, an E.U.
That would also make it more difficult for U.S.
“American tech with such mandated encryption
A 15 percent minority of Network experts said the EARN IT bill was a good idea.
Former NSA general counsel Stewart Baker argued that limiting encryption might be necessary to prevent the spread of child pornography and other criminal activity.
“If encryption is implemented in a way that recklessly and predictably fosters child abuse, why would we give the designer an immunity for the harm it has caused?” he asked. “Would we give an immunity to an electric scooter company whose product design recklessly burned down a few houses just because we thought the scooters were cool and had a positive environmental impact?”
Two experts — John Pescatore, director of emerging security trends at the SANS Institute
“Leaving [Internet service providers] and websites completely free of any responsibility for user content has resulted in vast swarms of malware,
“The definition of reasonable will be critical to the effectiveness and success of this bill — and this bill should not be an excuse for killing end-to-end encryption,” she said.
Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley, argued that encryption protections need to be addressed in the context of much broader concerns about technology and safety.
“Encryption is a critical issue, but allowing it to overshadow everything else is not good politics because it will make the technology community seem dangerously out of touch,” he said.
THE NETWORK— More responses to The Cybersecurity 202 Network survey question on whether the EARN IT Act is a good idea:
“There are better ways to combat child exploitation. The committee
should focus on legislative reforms that hold companies accountable for
not identifying and blocking child traffickers from their platforms
currentlyavailable signals. That can be done without weakening privacy and security measures.” — Chris Finan, CEO and co-founder of Manifold Technology and a former top White House cybersecurity official during the Obama administration
“High-tech security measures shouldn't be designed by political
…We need to solve child exploitation online, and while I'm sure this bill has the right intent, it's the wrong approach.” — David Brumley, CEO of the cybersecuritycompany ForAllSecure and a professor at Carnegie Mellon University
- NO: “Any legislated structure that carries the abilities to strip American citizens of their right to privacy is a mistake and a step towards the end of democracy.” — Tony Cole, chief technology officer at Attivo Networks
- NO: “Preventing child exploitation is important, but attacking encryption is not the way to do that.” — Harri Hursti, an election security expert and founding partner of Nordic Innovation Labs
“Protecting children from exploitation has long been a top priority for
[the Internet Association] and its members, but federal policy
regarding something as critical as encryption should be debated in the
withall relevant stakeholders.” — Jon Berroya, senior vice president and general counsel at the Internet Association trade group, which includes Google, Facebook and Microsoft among its members
- NO: “I share concerns about the impact of harmful online content on the nation’s most vulnerable people, including our children. The EARN IT Act will not help to deter or prevent any of this criminal activity.” — Christian Dawson, executive director of i2Coalition, an industry group that includes Google, Amazon and Cloudflare among its members
A man walks past a banner showing Saudi
Saudi telecommunications companies requested location data on Saudi citizens in the United States millions of times over a four-month period starting in November, according to documents a whistleblower shared with the Guardian. The large volume of requests indicates a coordinated surveillance effort, multiple security experts told Stephanie. The Saudi government has a history of hacking its own citizens, particularly dissidents and journalists.
The system the Saudi companies used, known as SS7, is meant to allow foreign providers to track roaming charges, but can be easily misused. DHS has received reports that malicious actors are exploiting the system, the agency told the office of Sen. Ron Wyden (D-Ore.) in a 2018 letter.
T-Mobile and Verizon did not comment on requests from the Guardian asking whether they allowed SS7 requests from foreign providers that could be used for tracking locations. AT&T said it has “security controls to block location-tracking messages from roaming partners."
President Trump and Vice President Pence.
Under a White House proposal, the officials are working with advertisers to pull widely available
The Centers for Disease Control and Prevention and the White House have partnered with a number of tech companies on the project, while some state and local governments have turned to data marketing companies such as Foursquare Labs.
Few motorists drive on Pennsylvania Avenue NW in Washington on March 25. Officials have urged residents to stay home to contain the spread of the
The Senate passed a short-term extension of the powers before the program expired.
Now, the Justice Department is urging the House to pass the same extension “as soon as possible to avoid any further gap in our national security capabilities,” Justice Department spokeswoman Kerri Kupec told Dustin.