Look! A political article that has nothing to do with the virus or Trump!
Consider this an olive branch, or just a breath of fresh air, but in this hit piece on the Democratic representative from Connecticut, Ars’s Dan Goodin points out a juicy bit of political hypocrisy on a topic dear to my heart: the dismantling of any chance we might have had at a right to digital privacy from our government.
I think there’s a lot to hate about the EARN-IT act; it does nothing to actually protect anyone, but instead makes it legal for the government (under the guise of law enforcement) to listen in on anyone without oversight and kneecaps the tech sector’s export of trustworthy software. Because, you know, there are indeed naughty photos of children on the internet and the feds can’t see ‘em.
Plus, as a topic this is something I feel we can all come together on: as the bill’s backed by both Dianne Feinstein and Lindsey Graham, this bipartisan bill can be dumped on by all of us in an equally bipartisan fashion.
I get downvoted without any real counterargument every time I bring this up, but maybe this sub will do better.
Despite the hyperbole you see online, the EARN-IT Act doesn’t directly do ANY of the things you’re claiming it does. It does not give the right to listen in on anyone. It doesn’t kneecap export of software. It doesn’t directly do anything to cryptography.
Instead, it creates a taskforce which will create a set of best practices for online companies to comply with. Once it creates that list, then congress has to vote again to pass it into law. To me this ends up being mostly a non-event. If congress wants to pass a law making encryption as we know it impossible, they can just pass the law directly, and they’ll need the same number of votes as it would take to approve those best practices.
I think it’s much more likely that the best practices will take the form of reporting and community moderation guidelines. But if they come back with a proposal like what everyone is screaming about here, then yes, I would oppose it at that time.
> I think it’s much more likely that the best practices will take the form of reporting and community moderation guidelines.
Yes that's pretty much what it does. [The bill](https://www.congress.gov/bill/116th-congress/senate-bill/3398/text) establishes a commission that:
>shall develop and submit to the Attorney General recommended best practices that providers of interactive computer services may choose to engage in to prevent, reduce, and respond to the online sexual exploitation of children, including the enticement, grooming, sex trafficking, and sexual abuse of children and the proliferation of online child sexual abuse material.
But that doesn't work with an app like Signal which is encrypted from user-to-user. Signal would not be able to comply with any bill that requires reporting or community moderation since they can't see what their users are doing.
Also while they're technically only guidelines ("best practices"), any company that doesn't follow them will lose safe harbor protection which pretty much makes these "best practices" mandatory.
The whole point is that we don’t know what the guidelines will be yet, and once we do, they will still have to voted on in congress. And yes, I know that service providers who use end to end encryption can’t see what users are doing. But when I was referring to reporting, what I had in mind was how they respond to reports from users. Regarding community moderation, of course all best practices aren’t equally applicable to all types of services.
Yes, I’m aware that the “best practices” would essentially be mandatory due to how the safe harbor is structured. But until we know what the best practices will be, we don’t know whether they present a problem.
> Once it creates that list, then congress has to vote again to pass it into law.
This is the only part of your response that was unknown to me. It doesn't appear that OP's article touches on this, or perhaps I missed it. Would you have a source for this?
It's right there in the bill, subsection (c) Congressional Approval.
>(c) Congressional Approval.—
>(1) DEFINITION.—In this subsection, the term “covered bill” means a bill that—
>(A) contains only the recommended best practices that have been submitted to Congress under subsection (b), in their entirety; and
>(B) is introduced under paragraph (3) of this subsection.
>(2) RULES OF HOUSE OF REPRESENTATIVES AND SENATE.—This subsection is enacted by Congress—
>(A) as an exercise of the rulemaking power of the Senate and the House of Representatives, respectively, and as such is deemed a part of the rules of each House, respectively, but applicable only with respect to the procedure to be followed in that House in the case of a covered bill, and it supersedes other rules only to the extent that it is inconsistent with such rules; and
>(B) with full recognition of the constitutional right of either House to change the rules (so far as relating to the procedure of that House) in the same manner, and to the same extent, as in the case of any other rule of that House.
>(A) IN GENERAL.—On the day on which recommended best practices are submitted to Congress under subsection (b), a covered bill containing those best practices shall be introduced—
>(i) in the Senate by—
>(I) the majority leader of the Senate, for himself or herself and the minority leader of the Senate; or
>(II) Members of the Senate designated by the majority leader and minority leader of the Senate; and
>(ii) in the House of Representatives by—
>(I) the majority leader of the House of Representatives, for himself or herself and the minority leader of the House of the House of Representatives; or
>(II) Members of the House of Representatives designated by the majority leader and minority leader of the House of the House of Representatives.
> [Full text](https://www.congress.gov/bill/116th-congress/senate-bill/3398/text)
No, it doesn’t do any of that directly; but it empowers another tech-illiterate panel to step in, declare “best practices” and *enforce them as law*. That makes for an effectively quasi-legislative *entity* with no checks on it.
Now, I don’t know what your background is, but I’ve worked in fintech for over a decade. “Best practices” means different things to different people based on the goals of the body that forms them. In the technology space, even nongovernmental regulatory bodies like PCI will come up with bizarre expectations or practices that may be onerous to a company because — surprise! — the Payment Card Industry council’s primary goal is to ensure that credit cards and the payment transactions made through them remain secure and viable for merchants to accept and consumers to use.
When the goal of S.3398 specifically states
- directs the commission to develop best practices for interactive online services providers (e.g., Facebook and Twitter) to prevent the online sexual exploitation of children;
- requires interactive online service providers to certify compliance with the best practices (or implement other reasonable practices to prevent the online sexual exploitation of children), or else they lose liability protections from claims alleging violations of child sexual exploitation laws
... it’s not hard to see what they’re after, and what they’ll require of companies like SnapChat, or Signal, or Telegram. It’s a well-known goal of the DoJ, and was worth criticizing just as heavily when it was [Eric Holder trying the same thing](https://www.reuters.com/article/us-usa-smartphones-holder-idUSKCN0HP22P20140930).
This is a push to weaken Section 230, and *allows* this commission to effectively bypass congress in setting rules for service providers that allow people to transmit content. The fact that it doesn’t come right out and say it is exactly *why* it’s so dangerous.
My background is that I’m a lawyer who has been working in technology law for a decade. In my current role I’m heavily involved in several trade and industry groups that most people would call lobbying organizations, where I represent my company’s interests in discussing pending legislation. My industry contacts just haven’t been interested in this bill, because they view it as a glorified committee study.
Read section 4(c) of the bill, which someone posted below. They’re not sidestepping congress. Congress has to vote to approve the best practices. This is what I was talking about in my first comment.
Regarding section 230, we don’t know whether it’s a worthwhile weakening of that section until we know what the suggested best practices are. Then congress will take the issue up again.
> Congress has to vote to approve the best practices. This is what I was talking about in my first comment.
So the blind leading the blind?
Imagine the BAR in your State being lead by a bunch of scrubs that never went to law school and actually practiced law...yeah its like that for those of us who know what we are doing.
I messed up with “bypassing”, I was admittedly hyperbolic and wrong to use that language.
In your experience though, is 4(c)'s limitations on debate normal for lopsided committees like these? Or the fast-tracking for bills submitted this way?
Personally I could see this becoming a means for the DoJ to hammer congress with proposals until one gets through. But I’m very much looking at this from the infosec side, and as a privacy advocate. From where I sit I feel like I’ve seen this song and dance before, and I don’t expect it will do anything but further erode digital privacy for individuals.
Even with the expedited process in 4(c), it still has to pass through both a committee and a full floor vote. The committees and the full floor in each chamber can still debate it, they just need to do it in the 60 day timeframe. The limitations on debate only happen if they don’t actually debate it during that time period. So it’s not ideal, but it’s not that rushed either.
My ambivalence at this point is mostly informed by my experience in lobbying activities, and how responsive legislators actually tend to be to these business groups. The reality is that none of the big tech companies want to kill encryption, because it will make it impossible for them to do business overseas. They also don’t want to take on additional liability. I’m very confident in their ability to kill anything terribly onerous that comes back to congress. And the fact that none of my peers seem to be sweating it either tells me that they view the risk similarly.
That does make me feel better, actually. Thanks for the perspective!
All that aside, I still find the committee composition ridiculous. But that’s a different judgment entirely— more on principle rather than peril.
I tend to agree on the committee composition. And I also think some parts of the law are ill-advised, and may still set us up for a big showdown. But that’s part of why I tend to push back against some of the hyperbole against this law. If everyone is screaming that this kills encryption it makes the legislators less sensitive to the issue, because it objectively does not impact encryption right now. I’m worried about a “boy who cried wolf” situation if the best practices recommendations end up being ugly.
You don't consider Congress having to vote and approve the bills sent by the committee a check? Not to mention the same checks that Congress always has on it (SCOTUS and Presidential veto).
Edit - Can you explain how this bill allows the committee to bypass Congress?
Congress, in general, is tech-illiterate. There's a strong chance they're going to appoint bagmen for Goldman Sachs, Google, and Facebook to be the "experts" on the panel that decides what best practices are.
Not a sufficient one. The initial proposed requirements here ([Sec 4.a.3 S.3398](https://www.congress.gov/bill/116th-congress/senate-bill/3398/text)
> MATTERS ADDRESSED.—The matters addressed by the recommended best practices developed and submitted by the Commission under paragraph (1) shall include—
> (C) retaining child sexual exploitation content and related user identification and location data;
> (D) receiving and triaging reports of child sexual exploitation by users of interactive computer services, including self-reporting;
> (K) contractual and operational practices to ensure third parties, contractors, and affiliates comply with the best practices.
... are already enough. ~~The entire commission doesn’t actually require a technology expert at all — someone “involved” with limiting child pornography in a business capacity can be placed in lieu of anyone who’s even looked at a line of code before.~~ How is congress supposed to make that determination?
C and D alone requires any communication platform to retain searchable records. K makes this a downstream requirement. Anyone who’s worked in infosec should be able to see this clearly, but it’s probably going right past everyone else who doesn’t realize why “record retention and user identification” matters in this context.
And as for the vote itself, the bill has language to push past many of the normal hindrances to other pieces of legislation:
> (B) PROCEEDING TO CONSIDERATION. [..]
> All points of order against the motion are waived. Such a motion shall not be in order after the House has disposed of a motion to proceed on the covered bill. The previous question shall be considered as ordered on the motion to its adoption without intervening motion. The motion shall not be debatable. A motion to reconsider the vote by which the motion is disposed of shall not be in order.
> (C) CONSIDERATION.—The covered bill shall be considered as read. All points of order against the covered bill and against its consideration are waived. The previous question shall be considered as ordered on the covered bill to its passage without intervening motion except 10 hours of debate equally divided and controlled by the proponent and an opponent. A motion to reconsider the vote on passage of the covered bill shall not be in order.
Edit: I misread the commission composition and misspoke: *2* members of the 16-person panel must have actual software knowledge. The rest, however— don’t. It’s still top-loaded in favor of prosecutors and the DoJ.
Agreed, I haven't been able to get any good answers on what this actually does to cryptography. Now, it's totally worth keeping an eye on this committee, and raising the alarm if any of the bills they introduce *do* threaten encryption. But calling this one an "anti-encryption" bill is pure nonsense IMO.
I'm open to counterpoints though, if I missed something in the bill that actually does what people are claiming.
It sounds like the problem is that the senator backing the bill disagrees with other senators that the bill would weaken encryption. It's in like the first paragraph, I don't understand why the headline would frame it differently.
Reasonable people can disagree with whether or not it does weaken encryption, which it probably does, but the bill isn't explicitly designed to do it, and another senator thinks it's really just a Trojan horse to do so, but because nobody's going to admit to that we can't know what the intention of everyone backing the bill is. Just reading the headline is definitely worthy for this sub but even skimming through the actual article will reveal that it's not that simple even if the senator backing the bill secretly just wants to weaken encryption for one reason or another. It's just the fault of the headline writer really. Also on another note, if the government IS pushing this as a Trojan horse to get access to people's data like with that Apple encryption debate, it's just not going to work because anyone actively trying to remain encrypted will still have access to services that use end-to-end encryption. Weakening certain encryption through a voluntary incentive is just going to make services that specifically advertise encryption more profitable. I don't think this bill is really going to hurt encryption in the long run, and I don't think it's the senator's intention to do so, at least not primarily.
The EARN IT Act establishes a committee to make recommendations on fighting child porn. Those recommendations will then need to pass the normal congressional procedures for becoming law.
Yes, it's possible that one of those recommendations might be to weaken or eliminate encryption. But even if that doomsday scenario happens, those recommendations will still need to go through a hell of a lot to become law.
PERFECTLY for ME (or what is my current scam's focus), but why do you have some notion you deserve this? How DARE you. Now accept your punishment like a good citizen. Nevermind someone is paying me to advocate for this.
Can't pay? Why do you THINK you deserve a voice? Oh, what Constitution? How quaint. It's just ME NOW BABY. DO AS YOU'RE TOLD or pony up.
Literally every Republican now has permission to do this like the abject narcissists they all are (thanks Trump!), and the rest (the rest ARE still politicians) are often so out of touch that it makes them seem like douchebags, even if they are just clueless.
This is how, after generations, we get scores of people voting against their own interest, over and over and over and over and over again, across generations of complete dumbasses.
And how a sitting President can say SO MANY things that are 'good for me and my identified group' and bad and even profane or horrifying for literally everyone else.
America is SO SO broken. Good luck in avoiding fascism when this COVID-19 is over. It's almost completely dismantled right NOW... There will exist nothing like the America I grew up in if Trump and his cronies get 4 more years to turn this into a police state.
Frankly, even Canada will likely be annexed in that 'next 4 years'.
All a “backdoor” is is a “key under the doormat”.
Zoom’s program tried to lock things down but left itself backdoors to improve service. Then the internet scamps found them and caused mischief.
ANY hardwired key leaves a trace... all it takes is one program out of thousands to accidentally leak the key.... see how long the DCSS key lasted for DVDs that was built into every player. Even manufacturer specific Blu-Ray disc keys are cracked in a few months because in thousands of models of players, someone finds a bug to get the key out. A Federal Law Enforcement Key would get cracked just as fast. Then everything encrypted with that key is wide open... government moves glacially slow, Security would be open for months before patches were in place.
The Electronic Frontier Foundation did up an article about that.