By Joseph Marks
A coalition of dozens of top cybersecurity and Internet freedom groups, academics and experts sent a blistering letter this morning to the sponsors of an anti-encryption Senate bill they say would make hundreds of millions of Americans more vulnerable to hacking.
The bill, called the Lawful Access to Encrypted Data Act, is the harshest among a number of efforts to weaken encryption across the Justice Department and Congress.
It would effectively require tech companies to weaken access to their secure systems to ensure law enforcement with a warrant can track terrorists, sexual predators and other criminals. But that would also make it far easier for cybercriminals and adversary nations to hack into troves of government, financial and health records, the authors write. They include the Internet Society, the Wikimedia Foundation and the Center for Democracy and Technology as well as experts at the American Civil Liberties Union, Stanford University and the Massachusetts Institute of Technology.
The bill “states that strong encryption is dangerous and it facilitates ‘criminal activity,’ without acknowledging that end-to-end encryption protects all people and is vital to many sectors of the economy, from banking to healthcare,” the letter states. End-to-end is the strongest form of encryption in which communications are completely garbled as they travel between the sender and recipient and can’t be deciphered even by the company that owns the platform.
The bill’s sponsors are Senate Judiciary Chairman Lindsey Graham (R-S.C.), and Sens. Marsha Blackburn (R-Tenn.) and Tom Cotton (R-Ark.).
The calls reflect a dramatic shift during the past six years as lawmakers and officials have grown increasingly skeptical that strong encryption is as important as experts say. Cybersecurity experts, meanwhile, have grown more concerned they may lose a fight they view as vital to the future of the Internet.
Sen. Lindsey Graham (R-S.C.). (Tasos Katopodis/Getty Images).
That has opened up a bevy of new opportunities for hackers and made strong encryption even more vital, they say.
Weakening encryption “would put the safety and security of Internet users in danger at a moment when a devastating pandemic has made secure technologies more critical than ever to the everyday lives of Americans,” they write.
Law enforcement also isn't exploring ways it can track criminals online without breaking encryption, experts argue.Those methods include using legally authorized hacking to exploit errors in how criminals use encryption. In rare cases, investigators have also used previously unknown bugs to break into encrypted devices and services.
“Interviews with hundreds of federal, state, and local law enforcement officials have shown that the largest barrier to law enforcement when dealing with modern communications systems is not encryption,” the authors write. “Rather, it is an inability to leverage the data they currently have or could have access to.”
That argument got a major boost this week when European law enforcement revealed an investigation that led to hundreds of arrests by cracking an encrypted service called Encrochat used by drug traffickers and other criminals. By hacking into the networks, police said they were able to read millions of messages in “real time, over the shoulder of the unsuspecting senders.”
U.S. law enforcement has also successfully broken into encrypted devices in major cases.In two high-profile cases where Apple refused to help the FBI crack into encrypted iPhones, investigators ultimately gained access by working with secretive hacking tool brokers.
Those phones belonged to Syed Farook, who killed 14 people and injured others during a workplace shooting San Bernardino, Calif., in 2015 and Ahmed Mohammed al-Shamrani, who killed three people and injured eight others in a shooting at a Pensacola, Fla., military base in 2019.
In the San Bernardino case, then-FBI Director James B. Comey suggested the price tag for the access was more than $1 million.
Facebook also paid more than $100,000 for a hacking tool that revealed the messages of notorious sexual predator Buster Hernandez as part of an effort to help the FBI build a case against him, Vice reported recently.
Facebook has been a major target in Justice's push against encryption because of plans to expand end-to-end encryption across its messaging platforms — a move that Attorney General William P. Barr says will lead to a major expansion in sharing child pornography.
The letter comes just days after encryption advocates notched a partial victory against another encryption-threatening Senate bill.
EARN IT Act sponsors Senate Judiciary Chairman Lindsey Graham, (R-S.C.) and Sen. Richard Blumenthal (D-Conn.). (Andrew Harnik/Pool/Reuters).
The companies feared that would force them to stop using end-to-end encryption, but a last-minute amendment from Sen. Patrick Leahy (D-Vt.) went a long way toward assuaging those concerns. It basically bars civil and criminal cases against companies for violating the bill’s rules merely because they use encryption.
Encryption advocates still have heartburn about the bill, though.
They worry it will open the door for lengthy litigation in which firms must prove that it’s just encryption that’s preventing them from combating the spread of child sexual abuse material and not something else, the Center for Democracy and Technology’s Greg Nojeim notes.
The amendment also fails to exempt other cybersecurity protections beyond encryption that make data more secure but might also inhibit law enforcement investigations, Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society, writes.
Delaware’s primary today marks a mini-test for Internet-based voting.
A man wears a sticker that says "I Voted." (Photo by Chandan Khanna/AFP/Getty Images).
State Election Commissioner Anthony Albence defended offering the app and then removing it, saying the state “had no problems with the system” but “want[s] everyone to be fully confident in anything that we do.”
Delaware was one of three states that launched pilots of OmniBallot this year, but it was the only state offering it broadly to voters quarantining because of the coronavirus. West Virginia and New Jersey offered the app only to voters with disabilities that made it unfeasible to vote by mail. Several states already used the app for military and overseas voters.
New Jersey piloted the app during primary elections for local offices in a handful of counties. It agreed not to pilot it in its presidential primary, which is also being held today, as part of a broader lawsuit.
Delaware and New Jersey both also substantially expanded mail voting for today’s primaries.
Some cybersecurity companies drew Paycheck Protection Program money to weather the pandemic.
President Trump signs the Paycheck Protection Program and Health Care Enhancement Act. (Jonathan Ernst/Reuters).
That went toward “protecting over 250 employee jobs in Maryland, Virginia, and North Carolina during the initial phase…of the pandemic,” Chief Marketing Officer Russ Cobb told my colleague Cat Zakrzewski. The company plans to pay back the loan rather than try to convert it into a grant, Cobb said.
Other PPP recipients include Fidelis Cybersecurity, which provides services to numerous government and military clients, and the cybersecurity news service CyberWire, according to SBA data.
The U.K. appears poised to block Huawei from its 5G networks in a major blow for the Chinese telecom.
A man stands in the Huawei shop in Shanghai. (Alex Plavevski/EPA-EFE/Shutterstock)
“I’m very determined to get broadband into every part of this country,” Johnson said. “I’m also determined that the U.K. should not be in any way vulnerable to a high-risk state vendor, so we have to think carefully about how we handle that.” U.S. officials have said Huawei can’t be trusted not to spy for the Chinese government, a charge Huawei denies.
The French government, meanwhile, appears poised to recommend against telecoms using Huawei in their 5G networks but will stop short of an outright ban, the French newspaper Les Echos reported as translated by Reuters.
The United States is looking at banning China-based TikTok over security concerns.
U.S. Secretary of State Mike Pompeo. (Photo by MANDEL NGAN / POOL / AFP) (Photo by MANDEL NGAN/POOL/AFP via Getty Images)
“We’re certainly looking at it,” Pompeo said, adding that the administration was taking the issue “very seriously,” Timothy Bella reported.
Pompeo said Americans should download TikTok “only if you want your private information in the hands of the Chinese Communist Party,” Reuters reports. TikTok has denied sharing any information with the Chinese government.
More cybersecurity news from the public sector:
An explosion and fire at an Iranian nuclear plant was likely sabotage, intelligence officials say.
A satellite image shows a damaged building after a fire and explosion at Iran's Natanz nuclear site. (Planet Labs Inc., James Martin Center for Nonproliferation Studies at Middlebury Institute of International Studies via AP)
The move could nevertheless prompt retaliatory cyberattacks from Iran.
More international cybersecurity news:
Chat roomHere's a stunning visual from MIT And Prof. Charles Stewart III of the increase in voting by mail between the 2016 and 2020 primaries:
The MIT branch of the @HealthyElex is keeping track of mail-ballot usage in the primaries. Here is the first graph showing the data. A note on data sources is at Election Updates. https://t.co/LOufDT6PN5 pic.twitter.com/Vzi1vk8K9e— Charles Stewart III (@cstewartiii) July 6, 2020
- A House Appropriations Committee panel will debate funding for the Homeland Security Department at 9 a.m. today.
- The House Energy and Commerce Committee will host a hearing on consumer risks during the covid-19 pandemic at noon Thursday.