Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption United States

The EARN IT Act is an Attack on Encryption (cryptographyengineering.com) 176

A bipartisan pair of US senators on Thursday introduced long-rumored legislation known as the EARN IT Act. The bill is meant to combat child sexual exploitation online, but if passed, it could hurt encryption as we know it. Matthew Green, a cryptographer and professor at Johns Hopkins University, writes: Because the Department of Justice has largely failed in its mission to convince the public that tech firms should stop using end-to-end encryption, it's decided to try a different tack. Instead of demanding that tech firms provide access to messages only in serious criminal circumstances and with a warrant, the DoJ and backers in Congress have decided to leverage concern around the distribution of child pornography, also known as child sexual abuse material, or CSAM. [...] End-to-end encryption systems make CSAM scanning more challenging: this is because photo scanning systems are essentially a form of mass surveillance -- one that's deployed for a good cause -- and end-to-end encryption is explicitly designed to prevent mass surveillance. So photo scanning while also allowing encryption is a fundamentally hard problem, one that providers don't yet know how to solve.

All of this brings us to EARN IT. The new bill, out of Lindsey Graham's Judiciary committee, is designed to force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely. And given that we don't yet know how to solve the problem -- and the techniques to do it are basically at the research stage of R&D -- it's likely that "stop using encryption" is really the preferred goal. EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct "best practices" for scanning their systems for CSAM. Since there are no "best practices" in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.

This discussion has been archived. No new comments can be posted.

The EARN IT Act is an Attack on Encryption

Comments Filter:
  • Sigh (Score:5, Funny)

    by MightyMartian ( 840721 ) on Friday March 06, 2020 @12:26PM (#59803606) Journal

    It's too bad mathematics can't bend to Congress's will.

    Tune in next week, when Congress stands on the beach and starts commanding the tides.

    • by mark-t ( 151149 )
      Bills like this are basicallly equivalent to saying that two people are forbidden from engaging in absolutely any form of communication that somebody else (assuming the other person somehow had the legal right to eavesdrop) would not be able to understand.
      • by Strill ( 6019874 )

        So if you were to create your own language, that only you understand, and then sent a message in that language over the internet, would you be in violation of this law?

        • Re: Sigh (Score:5, Insightful)

          by saloomy ( 2817221 ) on Friday March 06, 2020 @01:45PM (#59803924)
          Yes. That's what end-to-end encryption is, a new language that only those two systems know how to speak. I'll be the asshat marked troll for saying this too, but sorry kids. Child exploitation is a scourge on our society, but stopping isn't isn't worth the price of losing our rights to privacy to talk amongst each other. It's just not. There. Said it. The ends don't justify the means in this case. We can't end every freedom we've fought for in the name of ending child exploitation.

          should we fight it? Yes! Should it be punishable by severe and cruel punishment? YES. Should we give up freedoms just to make sure you don't engage in it? NO!!!!
          • Re: Sigh (Score:4, Insightful)

            by gweihir ( 88907 ) on Friday March 06, 2020 @07:05PM (#59805088)

            It goes even farther: The last time this was discussed in Germany, the national association of those abused as children was very much opposed to the law and found it pretty vile that their suffering was used to justify it.

            The other problem is that this will not stop a thing. People trading this stuff will just step up their security. And it is the wrong target anyways. Obviously, most child abuse is not recorded.

          • Re: Sigh (Score:4, Insightful)

            by serviscope_minor ( 664417 ) on Saturday March 07, 2020 @07:18AM (#59805884) Journal

            Should it be punishable by [...] cruel punishment? YES

            Hell no. Lock them away where they can't do any harm, sure. If you want to then go above that to be actively cruel, then you're just getting your jollies. Civilized countries have banned cruel punishments in law, even if the US seems to ignore that part of the constitution the ban is still there.

            • The Supreme Court has made it clear that the "and" in "cruel and unusual punishment" is important. You can punish people in unusual ways if it's not cruel. Some judges use this leeway to attempt to deliver better outcomes. You can also punish people in cruel, traditional ways. Hence capital punishment and other forms of punishment that are generally accepted, such as the dehumanizing impact of prisons.

      • Re:Sigh (Score:5, Informative)

        by ISayWeOnlyToBePolite ( 721679 ) on Friday March 06, 2020 @02:21PM (#59804060)

        Bills like this are basicallly equivalent to saying that two people are forbidden from engaging in absolutely any form of communication that somebody else (assuming the other person somehow had the legal right to eavesdrop) would not be able to understand.

        Not exactly, for a more in depth balanced view https://www.lawfareblog.com/ea... [lawfareblog.com]

        • Re:Sigh (Score:5, Insightful)

          by Curunir_wolf ( 588405 ) on Friday March 06, 2020 @04:03PM (#59804542) Homepage Journal

          From TFA:

          The risk of liability isn’t likely to kill encryption or end internet security. More likely, it will encourage companies to choose designs that minimize the harm that encryption can cause to exploited kids. Instead of making loud public arguments about the impossibility of squaring strong encryption with public safety, their executives will have to quietly ask their engineers to minimize the harm to children while still providing good security to customers—because harm to children will in the long run be a cost the company bears.

          The whole thing is a moronic argument to justify frightening companies into NOT offering end-to-end encryption.

          Legal departments at all the big tech firms will simply nix any designs that incorporate privacy for end users.

        • Re:Sigh (Score:4, Insightful)

          by whoever57 ( 658626 ) on Friday March 06, 2020 @05:08PM (#59804800) Journal

          That isn't a balanced view, it's a rose-tinted view that thinks that technology is magic.

          Read the penultimate paragraph and this becomes clear:
          "The risk of liability isnâ(TM)t likely to kill encryption or end internet security. More likely, it will encourage companies to choose designs that minimize the harm that encryption can cause to exploited kids. "

          It doesn't explain how end-to-end encryption can continue when companies "choose designs that minimize the harm that encryption can cause to exploited kids". Magical thinking at work. It's about as clear as claiming that one plus one doesn't equal two.

          • It's about as clear as claiming that one plus one doesn't equal two.

            It's a bit ironic that you're saying that on an article about encryption where Galois fields are all the rage.

        • by rgbscan ( 321794 )

          I usually love lawfare, but this is seriously the worst tech analogy I've read in a long time:

          "In other words, EARN IT will require companies that offer end-to-end encryption to weigh the consequences of that decision for the victims of child sexual abuse. And it may require them to pay for the suffering their new feature enables.

          I don’t doubt that this will make the decision to offer end-to-end encryption harder. But how is that different from imposing liability on automakers whose gas tanks explode

      • Re:Sigh (Score:4, Insightful)

        by Kernel Kurtz ( 182424 ) on Friday March 06, 2020 @02:53PM (#59804188)

        Bills like this are basicallly equivalent to saying that two people are forbidden from engaging in absolutely any form of communication that somebody else (assuming the other person somehow had the legal right to eavesdrop) would not be able to understand.

        Yes. You are allowed to keep secrets from anyone but your government, who must always have a way to see all.

        Unfortunately history is pretty clear that governments are the entity people most desperately need to be able to keep secrets from. That includes yours, no matter how much you think bad things could never happen there.

        • Re:Sigh (Score:4, Insightful)

          by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Friday March 06, 2020 @03:48PM (#59804476) Journal

          It's worth noting that even *IF* you were to give the government every benefit of the doubt, assuming their motives and all of their activities were nothing but benign (I know that's a stretch, but hear me out), it follows because of fact that you cannot stop people from being able to do math (and all computation is ultimately math), that if the government can access your private data, then so can any potentially malicious actor. It's important to realize that this is not just pessimistic speculation, it's actually a foregone conclusion.

          This means that rather than being able to access your private information resulting in the government's improved ability to crack down on illegal activity, law enforcement's job is actually made *harder* and not easier, because now they would additionally have to protect innocent people from exploitation by bad actors who are reading the same information that the government has access to.

          Of course, that's still assuming that the government has the genuine intent of trying to stop criminals in the first place.

          I am genuinely curious what a proponent of this kind of bill would have to say when they are forced to confront this enormous corner they are trying to paint themselves and everyone else into.

          I can't think of any response that a proponent might give that wouldn't be an outright and obvious admission that they actually don't care about the safety or security of the general public at all.

          • No arguments here.

            Of course, that's still assuming that the government has the genuine intent of trying to stop criminals in the first place.

            Protecting themselves will always come before stopping criminals, but either way the calculus is the same. How much obvious risk will they expose everyone to in pursuit of their own goals vs any real risk to themselves. I'd guess the answer is "a lot", but maybe that is just me.

    • Sure would make a lot of math easier if we just redefined pi to 3.0.
  • by Jarwulf ( 530523 ) on Friday March 06, 2020 @12:30PM (#59803620)
    its almost never a good sign.
  • by Rick Schumann ( 4662797 ) on Friday March 06, 2020 @12:31PM (#59803624) Journal
    Disingenuous assholes.
    • That's alright. I'll see his "think of the children" and raise him a "HIPPA/HITECH". If he's still game after that, I'll drag in the PCI.
  • .... is that this sort of bill has precisely *ZERO* impact on actual end-to-end encryption, since there are no middle men to hold accountable for the encryption.

    You would literally have to go after the specific individuals that were utilizing it.

    Or does graham think that criminals aren't smart enough to figure out how to make their own encryption software?

    • by Cmdln Daco ( 1183119 ) on Friday March 06, 2020 @12:41PM (#59803668)

      "When encryption is outlawed, only outlaws will use encryption."

      So law enforcement instantly has an easier job. Just look for encrypted traffic. It's suddenly become only 1% of the traffic, not 87% like previously.

      • by mark-t ( 151149 )

        And just how do you know what encrypted traffic looks liike?

        Serious question... in the end, it's all just 0's and 1's. How do you tell which bits are encypted and which are not? What makes one bit understandable and another not?

        • Valid point. Streaming video is pretty damned random looking, byte-wise, for instance.
          • Perhaps to you [youtube.com]
          • Except it's not random at all and we can use computers to verify it's really a displayable stream of the type it claims to be. Hell, we can decode the stream and run it through a image recognition program to make sure it's not random noise.

        • by 1nt3lx ( 124618 ) on Friday March 06, 2020 @12:56PM (#59803722) Homepage Journal

          Data encrypted with modern symmetric-key cyphers is by design indistinguishable from random data.
          See: https://en.wikipedia.org/wiki/... [wikipedia.org]

          • by Chris Mattern ( 191822 ) on Friday March 06, 2020 @03:15PM (#59804290)

            Data encrypted with modern symmetric-key cyphers is by design indistinguishable from random data.

            But unencrypted data is generally distinguishable from random data. So the encrypted data will in fact stand out.

            • by gweihir ( 88907 )

              Data encrypted with modern symmetric-key cyphers is by design indistinguishable from random data.

              But unencrypted data is generally distinguishable from random data. So the encrypted data will in fact stand out.

              Add a simple steganographic layer and that problem is fixed. Anyways, using encryption as a private citizen is not illegal at this time and this bill does not make it illegal.

        • If you can combine the 1's & 0's sequentially and get images, docs, videos, ... it's unencrypted. Truthfully they just need to expand RFC 3514 to include the illegal activities in the malicious detection system.

          • Damn it, you've beaten me to it, I was going to post that congress would then force implementation of an encrypted bit similar to the evil bit already present in TCP headers. That would line up with what they come up with sometimes...

            https://www.ietf.org/rfc/rfc35... [ietf.org]

            Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

          • Not necessarily. Look up steganography [wikipedia.org]. There are ways to hide (encrypted) data inside normal looking images or video streams.
            • by ls671 ( 1122017 )

              Agreed but it uses a lot of padding so it is inefficient. The video or image still has to look like a real video or image to avoid raising suspicions. I am sure some use it for very secretive stuff although, especially if they don't want to raise suspicions if somehow intercepted.

              You may also encode data in plain text, again using a lot of padding. In the old days, it was used to sent secretive messages through snail mail without raising any suspicions if the message was read by a third party.

              Note that typ

              • by mark-t ( 151149 )

                Agreed but it uses a lot of padding so it is inefficient.

                That depends on what criteria you are using to describe efficiency.

                If adding padding is more effective at keeping something secret than something that uses less padding and the level of secrecy is more valuable to the sender or receiver than the time it takes to transmit it, then that is still more efficient.

                If you operate on the assumption that criminals aren't going to do bother going through any extra effort to make sure they don't get caught y

        • Measure the entropy of the data stream. It's not particularly difficult for those in the data science field.
        • Couldn't they just watch for the key exchange during the initialization of the TLS session?
      • Enter steganography in 3... 2... 1...

      • What about HTTPS and other encrypted traffic?
    • It doesn't even have to be encryption, it just has to be obfuscation of some sort. How about steganography? There's no reason I can see that you couldn't hide an image inside of another image. Or just plain old 'security through obscurity'; if they want to traffic in illicit images of kids, do it through means no one is even watching. Or just SneakerNet. All the different ways filesharing of all types has been hidden over the years applies here.
      For the millionth time: all of this is just our so-called 'law
    • Or does graham think that criminals aren't smart enough to figure out how to make their own encryption software?

      Of course they are smart enough, but would they do it? Hell no. Criminals are law abiding citizens, they wouldn't do something illegal.

  • by Orgasmatron ( 8103 ) on Friday March 06, 2020 @12:39PM (#59803652)

    There is a very easy solution to this problem that everyone seems to be overlooking. Ask the DOJ to provide a list of SHA1 hashes, and then don't let people send files with matching hashes over the network.

    • Yeah! That's the ticket! Problem solved!

    • by bartle ( 447377 )

      It isn't quite that easy since changing any aspect of the file, even the EXIF data, would alter the file's hash.

      A more sophisticated image fingerprinting scheme could work. Google clearly has technology like this that they use for their image search functionality (it's effective even on images that have been cropped or recolored) but I'm not aware of any open solution that can do the same thing. Still, it's a much better idea for solving the problem than just about any other option I've seen mentioned.

  • EARN IT (Score:5, Funny)

    by Errol backfiring ( 1280012 ) on Friday March 06, 2020 @12:40PM (#59803658) Journal
    Well, if these senators' bank accounts get taken over because encryption is forbidden, they really earned it.
  • by anegg ( 1390659 ) on Friday March 06, 2020 @12:40PM (#59803664)
    Sounds more like an end-run on the US Constitution. There isn't any difference in my mind between the government executing unconstitutional searches and the government requiring companies to conduct searches that if conducted by the government would be unconstitutional. Warrant-less searches by the federal government are unconstitutional; getting a warrant requires having probable cause. Without probable cause and a warrant, requiring a company to conduct searches on behalf of the government is unconstitutional as well.
    • Without probable cause and a warrant, requiring a company to conduct searches on behalf of the government is unconstitutional as well.

      The 3rd party doctrine applies here. Because people are sending messages through theses services, the government can require these services to hand over the messages without any warrants. The open question is whether requiring these services to be able decrypt the messages is a valid application of the 3rd party doctrine.

      Clearly, the 3rd party doctrine needs to be revised to take into account the reality of advanced communication technology.

  • by Iamthecheese ( 1264298 ) on Friday March 06, 2020 @12:43PM (#59803670)
    This is about controlling the rest of us. Criminals, as we and the government know, are perfectly capable of using strong encryption. I've seen over and over these weak excuses, these pathetic fig leaves Congress-critters use. They don't provide them because they believe them or because the goats will accept them. They provide them for the purposes of the propaganda, the fodder they and they owned media put out for the sheep.
  • All the providers do pure, open http, for messaging, passwords, banks and brokerages, credit cards, SSNs, app server and database communication, the works.

    And put Lindsey Graham's name, visible in the window, as the responsible party, every time an insecure transaction is initiated.

    He'll hear about it, I'd bet.

    • Without true, backdoor-less end-to-end encryption, online banking and shopping will almost certainly die.

      Of course that may make the old geezers in Congress happy, especially guys like Graham.

    • First off, SSNs should always be available as public records. There is NO reason they should serve as a secret code to allow checkstand tellers in stores to grant credit cards on demand. Yet the credit industry wants to use SSNs that way.

    • He'll hear about it, I'd bet.

      Clearly you over estimate the level of care that people from South Carolina have for this topic. People in SC would vote this asshole back in year after year even if it meant that they'd have to castrate themselves with wooden spoons. As long as he continues to promise to provide liberal tears, people will vote him into office no matter the cost.

      • As a grandson of the...well...the _state_ of South Carolina, home of Pelzer and of Belton, of the Giant Peach, of that #38 George Rogers mural, of the Little Pee Dee, of Ft. Moultrie ("You WILL NOT climb the mounds by order of the post commandant!"), of the pederastic, drug-dealing, Sadat-greeting University president, of the only legislature to have a full quarter of its members under indictment at once, I am well aware of how clogged with Skoal the brains of most of its inhabitants are.

        I believe the repro

  • Google, Facebook, Apple, WhatsApp, and other large tech firms move offshore. Washington rails against the loss of tax dollars. Totally unrelated of course.
  • Funny how every really dumb idea from public servants is always sold by saying Come On! It is to protect the children/planet etc etc etc.
    My attitude is frak'em every one should encrypt everything end to end.

    And it is the government that is the real worry not malware or criminals.

    Just my 2 cents ;)
  • Before we all get our boxers in a twist, I really don't think this is going to go anywhere, because there may be just enough congresscritters who are actually listening to their tech advisers that'll vote 'no' because they see what pointless chaos it'd cause. So let's all just go easy until we see what happens. Call your congresscritters and inform them in nice calm words exactly why this would be a pointless disaster, if you feel like you need to do something about it.
    • Even if they know it's a terrible bill, who would dare to put their vote down as opposing a law promoted as catching pedophiles? The attack ads next election are obvious, and would be very effective.

      • Guess we'll see won't we? Not like us peon citizens are getting a say in this, we just get to live with the consequences. Then go looking to plant severed heads on poles when it all blows up in our faces.
        In all seriousness if they actually got something like this signed into law, and either encryption became worthless, or encryption became extinct, that'd be the deal-breaker for me, I'd cancel my internet service entirely, tell utility companies and whoever else to start sending paper bills in the mail aga
        • By the time it passes, I expect it'll have a bunch of exceptions in place for financial matters. It won't ban Facebook from using encryption: It'd just mandate that all the encryption they use is between them and an end user, so they can sit in the middle and log everything for law enforcement.

          I doubt it'll catch a single trader in child abuse though.

  • by Grand Facade ( 35180 ) on Friday March 06, 2020 @01:02PM (#59803750)

    All the good kiddie pron is encrypted and congress can't view it.

  • by Woeful Countenance ( 1160487 ) on Friday March 06, 2020 @01:04PM (#59803756)

    The National Center for Missing and Exploited Children officially supports the EARN-IT Act [missingkids.org]. For whatever that's worth.

    NCMEC official statement on end-to-end encryption [missingkids.org]: "Over the past 20 years, we’ve received more than 55 million reports of child sexual abuse to our CyberTipline - in 2018 alone we received over 18 million reports. The abuse is graphic and violent, and the sharing of images online drives the market for offenders to create more images and abuse hundreds of thousands of children each year."

    So, basically what they're saying is that whatever they're doing now is completely useless and ineffective, but somehow encryption makes the problem worse.

    "If end-to-end encryption is implemented without a solution in place to safeguard children, NCMEC estimates that more than half of its CyberTipline reports will vanish." Well, now I kinda want to see the law passed, just to find out how accurate their prediction turns out to be. And if the number of reports dropped from 18 million to 9 million, how would that affect the number of criminal cases actually prosecuted?

    • by fazig ( 2909523 ) on Friday March 06, 2020 @01:27PM (#59803856)
      It's the same nonsense you hear over here in Europe when it comes to surveillance.
      No matter how many liberties they take away and how much they spy on people by putting everyone under the blanket of suspicioun, it's never seems to be enough. Shit still happens and even appears to be getting worse if we look at the current racist extremism in Germany for example. Now there's an entirely new thing to be afraid of - a large dark figure of far-right extremism that has somehow gone unnoticed and is growing despite all the domestic spying that is already done. So what's to be done about that?
      Their answer appears to be always along the same lines: we're not spying enough. More will fix this.


      Hence I'd expect that would be a dangerous step to satisfy one's curiosity as things are not likely to change that much except that the erosion of freedoms progressed one step further to widespread acceptance.
    • My question as it always has been is what happens when encryption is weakened and fraud and identity theft rises to an all time high? How are they going to handle that?

      The FBI investigates fraud, and those fraud investigators probably think their co-worker have lost their minds every time the FBI is involved in yet another story about how encryption is bad. I can see them yelling over a pile of 3 million plus fraud reports a year "Are you stoned? I'm never going to get through all these reports!"

    • "If end-to-end encryption is implemented without a solution in place to safeguard children, NCMEC estimates that more than half of its CyberTipline reports will vanish."

      So now that everyone's home directory has been Poettered with systemd-homed encrypting and seizing full control of the users and their home folders. As part pf being poettered, systemd will decrypt and route everyone's files through approved government portals so said files can be archived and scanned for use if needed in future legal acti
    • What I'm hearing is that they are able to not only get 18 million reports, but actively analyse them for content.

      So what is hiding behind encryption again?

    • Comment removed based on user account deletion
      • by Ambassador Kosh ( 18352 ) on Friday March 06, 2020 @05:15PM (#59804820)

        How is end to end encryption in whatsapp much different than using ssh or a vpn? The government certainly does not have the right to eavesdrop on an ssh connection or a vpn connection so why should this be any different?

        Isn't this related a key vs a combination lock? The law can compel you to give a key if it exists but can't compel you to reveal what you know based on the 5th amendment. So the government has the right to get the locked data and the right to try and break it but no guarantee of success.

        I don't see how all of us giving up our rights to secure communication for personal and business reasons is possibly worth it just so the government has an easier time of finding people breaking the law.

        Remember all of this was in RESPONSE to the government. We got end to end encryption because the government was performing warrantless mass surveillance. This was done because the government was abusing our privacy and the companies responded to that.

  • "platform like Facebook" "force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely"

    Not much more one can say after reading this. So let the laughing commence ;) lol

    Just my 2 cents ;)
  • ... only outlaws will have encryption.

    Maybe these morons like Lindsey Graham should try almost ANY modern transaction without encryption and see how fucking clueless they are when their account is hacked because you just made it (almost) trivial to get hacked.

    --
    Anytime a politician uses the excuse Think of the Children they almost ALWAYS have a secondary agenda. They have to piggyback it on a rider bill because no one would go for their half-baked bullshit idea by itself.

  • That's a particularly disturbing name for a CSAM-based bill given how many politicians were associated with Epstein.
  • I can't wait for someone to slurp up Lindsey Graham accessing his bank account or preferred porn sites.

  • That is just a convenient pretext. Attacks on encryption have traditionally been justified with any of the "Four Horsemen of the Infocalypse". This is no different, except that it is even more despicable because it exploits abused children again.

    The real motivation behind this is and has always been preventing citizens from being able to communicate online without needing to fear that the government is listening. The threat of listening serves to a) create chilling effects where people self-censor (just lik

  • Perhaps the proper answer to "child porn" should be: "well, perhaps people should keep better track of their children".

    Then, when it gets pointed out that it's offensive to good parents whose children were abused, point out that banning cryptography or breaking it by forcing installed backdoors is actually equally offensive.

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...