from the don't-break-the-internet dept
In Part I of this series on the Department of Justices February 19 workshop, Section 230 Nurturing Innovation or Fostering Unaccountability? (archived video and agenda), we covered why Section 230 is important, how it works, and how panelists proposed to amend it. Part II explored Section 230s intersection with criminal law.
Here, we ask what DOJs real objective with this workshop was. The answer to us seems clear: use Section 230 as a backdoor for banning encryption a backdoor to a backdoor in the name of stamping out child sexual abuse material (CSAM) while, conveniently, distracting attention from DOJs appalling failures to enforce existing laws against CSAM. We conclude by explaining how to get tough on CSAM to protect kids without amending Section 230 or banning encryption.
Banning Encryption
In a blistering speech, Trumps embattled Attorney General, Bill Barr, blamed the 1996 law for a host of ills, especially the spread of child sexual abuse material (CSAM). But he began the speech as follows:
[Our] interest in Section 230 arose in the course of our broader review of market-leading online platforms, which we announced last summer. While our efforts to ensure competitive markets through antitrust enforcement and policy are critical, we recognize that not all the concerns raised about online platforms squarely fall within antitrust. Because the concerns raised about online platforms are often complex and multi-dimensional, we are taking a holistic approach in considering how the department should act in protecting our citizens and society in this sphere.
In other words, the DOJ is under intense political pressure to do something about Big Tech most of all from Republicans, who have increasingly fixated on the idea that Big Tech is the new Liberal Media out to get them. Theyve proposed a flurry of bills to amend Section 230 either to roll back its protections or to hold companies hostage, forcing them to do things that really have nothing to do with Section 230, like be "politically neutral" (the Hawley bill) or ban encryption (the Graham-Blumenthal bill), because websites and Internet services simply cant operate without Section 230s protections.
Multiple news reports have confirmed our hypothesis going into the workshop: that its purpose was to tie Section 230 to encryption. Even more importantly, the closed-door roundtable after the workshop (to which we were, not surprisingly, not invited) reportedly concluded with a heated discussion of encryption, after the DOJ showed participants draft amendments making Section 230 immunity contingent on compromising encryption by offering a backdoor to the U.S. government. Barrs speech said essentially what we predicted he would say right before the workshop:
Technology has changed in ways that no one, including the drafters of Section 230, could have imagined. These changes have been accompanied by an expansive interpretation of Section 230 by the courts, seemingly stretching beyond the statutes text and original purpose. For example, defamation is Section 230s paradigmatic application, but Section 230 immunity has been extended to a host of additional conduct from selling illegal or faulty products to connecting terrorists to facilitating child exploitation. Online services also have invoked immunity even where they solicited or encouraged unlawful conduct, shared in illegal proceeds, or helped perpetrators hide from law enforcement. ...
Finally, and importantly, Section 230 immunity is relevant to our efforts to combat lawless spaces online. We are concerned that internet services, under the guise of Section 230, can not only block access to law enforcement even when officials have secured a court-authorized warrant but also prevent victims from civil recovery. This would leave victims of child exploitation, terrorism, human trafficking, and other predatory conduct without any legal recourse. Giving broad immunity to platforms that purposefully blind themselves and law enforcers to illegal conduct on their services does not create incentives to make the online world safer for children. In fact, it may do just the opposite.
Barr clearly wants to stop online services from going dark through Section 230 even though Section 230 has little (if any) direct connection to encryption. His argument was clear: Section 230 protections shouldn't apply to services that use strong encryption. Thats precisely what the Graham-Blumenthal EARN IT Act would do: greatly lower the bar for enforcement of existing criminal laws governing child sexual abuse material (CSAM), allow state prosecutions, and civil lawsuits (under a lower burden of proof), but then allow Internet services to earn back their Section 230 protection against this increased liability by doing whatever a commission convened and controllled by the Attorney General tells them to do.
Those two Senators are expected to formally introduce their bill in the coming weeks. Undoubtedly, theyll refer back to Barrs speech, claiming that law enforcement needs their bill passed ASAP to protect the children.
Barrs speech on encryption last July didnt mention 230 but went much further in condemning strong encryption. If you read it carefully, you can see where Graham and Blumenthal got their idea of lowering the standard of existing federal law on CSAM from actual knowledge to recklessness, which would allow the DOJ to sue websites that offer stronger encryption than the DOJ thinks is really necessary. Specifically, Barr said:
The Department has made clear what we are seeking. We believe that when technology providers deploy encryption in their products, services, and platforms they need to maintain an appropriate mechanism for lawful access. This means a way for government entities, when they have appropriate legal authority, to access data securely, promptly, and in an intelligible format, whether it is stored on a device or in transmission. We do not seek to prescribe any particular solution. ...
We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption. Such encryption regimes already exist. For example, providers design their products to allow access for software updates using centrally managed security keys. We know of no instance where encryption has been defeated by compromise of those provider-maintained keys. Providers have been able to protect them. ...
Some object that requiring providers to design their products to allow for lawful access is incompatible with some companies business models. But what is the business objective of the company? Is it A to sell encryption that provides the best protection against unauthorized intrusion by bad actors? Or is it B to sell encryption that assures that law enforcement will not be able to gain lawful access? I hope we can all agree that if the aim is explicitly B that is, if the purpose is to block lawful access by law enforcement, whether or not this is necessary to achieve the best protection against bad actors then such a business model, from societys standpoint, is illegitimate, and so is any demand for that product. The product jeopardizes the publics safety, with no countervailing utility. ...
The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.
In other words, companies choosing to offer encryption should have to justify their decision to do so, given the risks created by denying law enforcement access to user communications. Thats pretty close to a recklessness standard.
Again, for more on this, read Berins previous Techdirt piece. According to the most recently leaked version of the Graham-Blumenthal bill, the Attorney General would no longer be able to rewrite the best practices recommended by the Commission. But he would gain greater ability to steer the commission by continually vetoing its recommendations until it does what he wants. If the commission doesnt make a recommendation, the safe harbor offered by complying with the best practices doesnt go into effect but the rest of the law still would. Specifically, website and Internet service operators would still face vague new criminal and civil liability for reckless product design. The commission and its recommendations are a red herring; the truly coercive aspects of the bill will happen regardless of what the commission does. If the DOJ signals that failing to offer a backdoor (or retain user data) will lead to legal liability, companies will do it even absent any formalized best practices.
The Real Scandal: DOJs Inattention to Child Sexual Abuse
As if trying to compromise the security of all Internet services and the privacy of all users werent bad enough, we suspect Barr had an even more devious motive: covering his own ass, politically.
Blaming tech companies generally and encryption in particular for the continued spread of CSAM kills two birds with one stone. Not only does it offer them a new way to ban encryption, it also deflects attention from the real scandal that should appall us all: the collective failure of Congress, the Trump Administration, and the Department of Justice to prioritize the fight against the sexual exploitation of children.
The Daily, The New York Times podcast, ran part one of a two-part series on this topic on Wednesday. Reporters Michael Keller and Gabriel Dance summarized a lengthy investigative report they published back in September, but which hasnt received the attention it deserves. Heres the key part:
The law Congress passed in 2008 foresaw many of todays problems, but The Times found that the federal government had not fulfilled major aspects of the legislation.
The Justice Department has produced just two of six required reports that are meant to compile data about internet crimes against children and set goals to eliminate them, and there has been a constant churn of short-term appointees leading the departments efforts. The first person to hold the position, Francey Hakes, said it was clear from the outset that no one felt like the position was as important as it was written by Congress to be.
The federal government has also not lived up to the laws funding goals, severely crippling efforts to stamp out the activity.
Congress has regularly allocated about half of the $60 million in yearly funding for state and local law enforcement efforts. Separately, the Department of Homeland Security this year diverted nearly $6 million from its cybercrimes units to immigration enforcement depleting 40 percent of the units discretionary budget until the final month of the fiscal year.
So, to summarize:
Let that sink in. In a better, saner world, Congress would be holding hearings to demand explanations from Barr. But they havent, and the workshop will allow Barr to claim hes getting tough on CSAM without actually doing anything about it while also laying the groundwork for legislation that would essentially allow him to ban encryption.
Even for Bill Barr, thats pretty low.
Filed Under: cda 230, congress, csam, doj, encryption, funding, section 230, william barr
Here is the original post:
Barr's Motives, Encryption and Protecting Children; DOJ 230 Workshop Review, Part III - Techdirt
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]