Unless you’ve been living under a rock, you know that the Crypto Wars are back.
Politicians, seemingly led by Senator Lindsey Graham of South Carolina, seem
bound and determined to undermine user’s privacy and security online to
strengthen the power of the police state. It will have disproportionate affects
on the innocent rather than criminals and will raise operating costs and make it
much harder for small businesses and startups to compete in the US.
- Much like guns and nuclear weapons, the cryptography genie is already out
of the bottle. Inserting backdoors or limiting access to encryption will
affect law-abiding citizens, but criminals will be able to continue to use
encryption software that already exists. In fact, the Al Qaeda terrorist
organization already develops their own encryption
It’s not like they’ll comply with US laws. While we might succeed in
reducing their access to some types of encryption (e.g., encrypted phones),
we won’t be able to completely eliminate it for motivated criminal
enterprises or terror cells.
- There are a lot of legitimate reasons to want to use end-to-end
encryption or full device encryption. Do companies want their sensitive data
accessible to competitors? Do individuals want their data available to
someone who finds their phone in a cab or steals it? Journalists want to be
able to communicate with their sources in confidence, and attorneys and
doctors should be able to securely encrypt their privileged files.
The United States Senate even encourages Senators to use end-to-end
as does the 82nd Airborne Division of the US
- There is no such thing as good guy only access. Being good or evil is a
matter of perspective and ethics, and technology does not recognize those.
Any backdoor, key escrow, or other system designed to comply with these laws
is subject to abuse by malicious governments, malicious insiders, or
criminals. Cryptographer and professor Matthew Green says
Bruce Schneier says
I say so. We’ve seen providers with stored keys breached
so it would be pretty surprising if it didn’t happen again. The only way to
keep the keys from being compromised is for the provider to not have them at
- It will decrease trust in American service providers. Look at the way Huawei
and ZTE are treated because of potential Chinese backdoors. Why would
another country want the US government to have a backdoor into communications
they use? Even if you believe intent is good (and stopping child abuse is),
the way the US government has used spying capabilities in the past raises
There’s good analysis on both EARN IT and LAED, the two bills introduced by
Senator Graham here:
Based on EFF language, I wrote to my Senators and Representative the following:
I write you as both a constituent and in my personal capacity as an expert in cybersecurity. For most of the past decade, I have been employed as a senior security engineer at a large technology company, I have spoken at multiple conferences on information security, and have published articles on the matter..
I strongly urge you to reject both the EARN IT Act (S.3398) and the Lawful Access to Encrypted Data Act. They both pose an existential threat to online privacy and security.
End-to-end encryption protects innocent and law-abiding users against data breaches at their service providers. As we’ve seen time and time again, persons are irreversibly harmed when their communications are leaked, and requiring backdoor access for the government opens that backdoor to abuse by foreign governments and criminals.
The Graham-Blumenthal bill would give the Attorney General far too much power to dictate how Internet companies must operate. Attorney General William Barr has made it clear that he would use that authority to undermine our right to private and secure communications by blocking encryption. Additionally, passing on this power to the Attorney General leaves too much to the whims of each administration, resulting in a great deal of uncertainty regarding the future course of things.
The bill would create a commission tasked with creating “best practices” for owners of Internet platforms to “prevent, reduce, and respond” to child exploitation online. But far from mere recommendations, those “best practices” would be approved by Congress as legal requirements. The EARN IT Act’s structure would let Barr strong-arm the commission to include requirements that tech companies weaken their own encryption systems in order to give law enforcement access to our private communications. Companies could also be required to over-censor speech to comply with the government’s demands, or to bend to future governments’ political agendas in other ways.
Regulations relating to restrictions on speech must reflect a careful balance of competing policy goals and protections for civil liberties. Congress can only strike that balance through an open, transparent lawmaking process. It would be deeply irresponsible for Congress to offload that duty to an unelected commission, and especially not a commission controlled by unelected government officials.
Please publicly oppose the EARN IT Act and the Lawful Access to Encrypted Data Act.
I encourage you to do the