Analysis | The Cybersecurity 202: Democrats push a bill to combat child pornography without undermining encryption
By Joseph Marks
House and Senate Democrats are pushing a $5 billion plan to combat child pornography and other online child exploitation — without undermining strong encryption protections that the Justice Department has said allow those criminal activities to thrive.
The bill, which lawmakers introduced in the House and Senate yesterday, is effectively a multibillion-dollar response to law enforcement leaders arguing tech companies must give the government a way to access online communications with a warrant. And it's the first counterproposal to another bipartisan bill designed to combat child exploitation that's become ground zero in the fight over encryption.
“If you weaken strong encryption, all that filth would just move to dark web platforms and you’d make it easier for really bad guys to harm children,” Sen. Ron Wyden (D-Ore.), a sponsor of the Senate bill, told me, using a term for unregulated portions of the Internet where it’s easier for criminals to act anonymously.
Sen. Ron Wyden, (D-Ore.). (Andrew Harnik/AP Photo/Bloomberg News)
It would also fund 65 new analysts, engineers and counselors at the National Center for Missing and Exploited Children, which officials say has been hobbled by limited resources and outdated technology in recent years and is unable to handle an explosion in child sexual abuse imagery online. A New York Times investigation found instances of those images soared from about 100,000 in 2008 to more than 18 million in 2018.
“Government institutions at every level have failed kids [on this issue],” Wyden said. “I happen to think the way you turn it around is to put significant dollars into prosecutors, investigators and preventive services, and hold them accountable.” Wyden and other security experts say weakening encryption would make it far easier for criminals to steal all users' information and harass and abuse people online — including children — and that there are other ways for law enforcement to stop the crimes.
The bill is also sponsored by Sens. Kirsten Gillibrand (D-N.Y.), Bob Casey (D-Penn.) and Sherrod Brown, (D-Ohio) in the Senate and Rep. Anna Eshoo (D-Calif.), who represents part of Silicon Valley, in the House.
The bill aims to compete with another Senate measure that’s far less encryption friendly.That bill, dubbed the EARN IT Act, would strip tech companies of their prized liability protections when users share child pornography and other materials that exploit children. It would also establish a 19-member commission to create rules companies can follow to earn back that liability shield.
Tech companies and cybersecurity experts fear the commission would require companies to dial back their strong encryption systems — which shield information on the entire route between the sender and recipient — so law enforcement could get access to particular messages with a warrant. Right now, even the companies can't see the contents of the messages due to the end-to-end encryption.
Sen. Richard Blumenthal (D-Conn.), one of the EARN IT Act’s lead sponsors, has denied the bill is aimed at weakening encryption, saying there’s no guarantee the commission will recommend such a move. But he also has declined to take encryption off the table.
The bill has been pilloried by cybersecurity experts. Eighty-five percent of The Cybersecurity 202's standing panel of security experts said in a recent survey that it shouldn’t be passed. One major criticism is that it would give a substantial role on the new commission to Attorney General William P. Barr, who has been one of the government’s most vocal critics of strong encryption.
Barr has criticized Facebook in particular for expanding its digital protections across its messaging services, which the company says will make everyone more secure but Barr argues will lead to a surge in sharing of child pornography on the site.
The EARN IT Act has 10 Senate sponsors including six Democrats and four Republicans, compared to the Invest in Child Safety Act, which has no Republican support so far.
Yet both bills are sure to struggle to gain any attention while Congress focuses on responding to the coronavirus pandemic.
Attorney General William P. Barr addresses the International Conference on Cyber Security at Fordham University in New York. (Richard Drew/AP)
Encryption advocates say warrant-proof encryption makes the vast majority of people safer.While it does allow some criminals to evade police oversight, they say that’s worth it on balance to ensure information for all users is well protected against hackers.
They also argue law enforcement has rushed to attack encryption rather than exploring alternate ways of getting the information.
For example, police can get hacking warrants that allow them to use some of the same tools criminal hackers use to get access to information. They could also build cases with more shoe- leather police work that doesn’t require access to computers.
Those methods both take a lot of time and money and might be aided by a large boost in funding, such as the Invest in Child Safety Act envisions.
Wyden declined to say whether money from the bill should be used to boost those other investigatory techniques, saying he didn’t want to tell police and prosecutors “how to do their jobs.”
He says he’s confident, though, that increased resources will do a better job of tackling the problem than attacking encryption. “I can’t find very many policy changes that create more potential harm to kids than weakening encryption and making it easier for predators to get into their devices and into their homes,” he said.
Congress has never formally debated a bill that would explicitly weaken encryption.Justice Department and FBI officials have been pushing to find workarounds to strong encryption since 2014 but with no significant achievements. The FBI backed away from a court battle in 2015 that might have created a legal precedent that tech companies have to help law enforcement crack into encrypted systems when they have a warrant.
In that case, the FBI withdrew its request that Apple help agents break into a cellphone used by San Bernardino, Calif., shooter Syed Farook after an unnamed third-party vendor offered a tool that could crack into the device without Apple’s help.
The law enforcement case on encryption was also seriously damaged by a 2018 report that found the FBI, which has been the lead agency attacking encryption, repeatedly overstated how many cases were foiled by the protection.
Serious vulnerabilities in an Indian app are prompting worries about the use of location data to track the coronavirus's spread.
People wearing protective masks in Mumbai, India. (Dhiraj Singh/Bloomberg News)
The report should raise alarm bells for other governments that have rushed to roll out contact tracing apps amid the pandemic, privacy advocates say.
“I expect many of the contact tracing apps to have these types of issues, and I think particularly the ones that rely on GPS are going to be more privacy-invasive,” said Ashkan Soltani, a former Federal Trade Commission lead technologist who reviewed Robert's findings and has analyzed other contact tracing apps.
It's not the first security flaw researchers have identified in the app. A previous version of the Android version of the Aarogya Setu app leaked users' location data to YouTube, the New York Times found last week.
A Commerce Department rule will ensure U.S. companies can help set global standards for 5G telecom networks.
A technician wears a protective mask as he installs a new Huawei 5G station on a tower. (Kevin Frayer/Getty Images)
The U.S. government has launched a global campaign to limit Huawei’s role in 5G networks, arguing the company could aid Chinese government spying, but some industry officials worry the efforts are doing too much damage to U.S. companies.
“It is very much past time that this be addressed and clarified,” said Naomi Wilson, senior director of policy for Asia at the Information Technology Industry Council. “Their policies have inadvertently caused U.S. companies to lose their seat at the table to Huawei. ”
State election officials are slamming a federal commission for being too slow to help with voting security guidelines.
A voter. (Patrick Semansky/AP)
“The process is not fast enough to adapt to the changing security environment or to address the accessibility needs of many voters,” Virginia Elections Commissioner Christopher Piper said. “The fact is the delay has proven to be a convenient excuse in all sectors not to update our voting systems.”
The update has been in progress at the same time states have been scrambling to update their protections after Russia probed election systems in most states in the 2016 contest. Congress has also appropriated more than $1 billion to update election systems during that time.
EAC guidelines aren't binding, but many states rely on them to set their own security rules for new voting equipment.
Sens. Elizabeth Warren (D-Mass.) and Amy Klobuchar (D-Minn.) want the FTC to crack down on coronavirus scammers.
Sen. Elizabeth Warren (D-Mass.). (Brian Snyder/Reuters)
“We are calling on the agency to take stronger action to ensure that the huge population of potential victims — the nearly 60 million hardworking men and women who own or are employed by small businesses — are protected during this time of crisis,” they wrote in a letter to Federal Trade Commission Chairman Joseph Simons.
Zoom has tapped Trump's first national security adviser for a board role as it responds to security concerns.
H.R. McMaster. (Jabin Botsford/The Washington Post)
Zoom also hired Jonathan “Josh” Kallmer as head of global public policy and government relations. Kallmer was executive vice president for policy at the Information Technology Industry Council.
More industry news:
Hackers who impersonate CEOs to con their victims are developing even more tricks, researchers found.
A Wall Street sign is displayed in front of the New York Stock Exchange. (Mark Kauzlarich/Bloomberg News)
More news about hacks and breaches:
Hackers infected a core system of a big European health-care conglomerate.
A doctor looks at computer screens at a hospital. (Sophia Sandurskaya/AP)
More international cybersecurity news:
Chat roomThoughts on a trailer for U.S. Cyber Command?
Maybe your purpose on this planet isn't on this planet.https://t.co/lr7tBQp775 pic.twitter.com/oHLgwcY2eq— United States Space Force (@SpaceForceDoD) May 6, 2020
- The Knight Foundation will host a webinar on coronavirus misinformation, featuring Dr. Safiya Umoja Noble, at 1 p.m.
- The Cyberspace Solarium Commission will host a virtual forum on Friday from 11 a.m. to 12 p.m.
- The Senate Commerce Committee will host a hearing on the state of broadband amid the covid-19 pandemic on Wednesday at 10am.
- The Information Technology and Innovation Foundation will host a webinar “Mind the Gap: A Design for a New Energy Technology Commercialization Foundation” on Wednesday at noon.
- The Open Technology Institute will host an event on the role of technology in pandemic response efforts on May 14 at 11:30 a.m.