<https://threatpost.com/encryption-under-full-frontal-nuclear-assault-by-u-s-bills/157748/>

The U.S. government and tech companies continue to butt heads over the idea of encryption and what that means for law enforcement.

Encryption expert Riana Pfefferkorn believes new proposed laws – the EARN IT Act and the Lawful Access to Encrypted Data Act – pose dire threats to cybersecurity and privacy.

In this Threatpost interview, Pfefferkorn, who is associate director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, lends valuable insight as to why proposed legislation is a “full-frontal nuclear assault on encryption in the United States.”

“I think we’re at a point where there is a rising tide around the world of threats to encryption and threats to our online freedoms more generally,” Pfefferkorn told Threatpost. “And it’s going to become more and more difficult, both as a regulatory atmosphere and as normative matter for companies to continue holding the hardline and saying, we cannot afford to go backwards on cybersecurity in light of the kinds of data breaches, information attacks and ransomware we face right now in the world.”

Listen to the full interview with Pfefferkorn below.

<https://www.youtube.com/watch?v=lFS959M-8NU>

Below is a lightly edited transcript of the interview.

Lindsey O’Donnell-Welch: Hi, everyone, this is Lindsey O’Donnell Welch with Threatpost and I am joined today by Riana Pfefferkorn, the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society. Riana, thank you so much for joining us today.

Riana Pfefferkorn: Thank you for having me.

LO: So just for all of our viewers, Riana’s work focuses on investigating and analyzing the U.S. government’s policy and practices for forcing decryption and influencing crypto-related design of online platforms and services, both via technical means and through the courts and legislators. And so that is very applicable for what we’re talking about today, which is a recently introduced bill called the Lawful Access to Encrypted Data Act. And that was introduced in June and Riana I want to talk to you a little bit about this, but this bill argued that the ending of the use of “warrant proof encrypted technology” would “bolster national security interests, and better protect communities across the country.” Now, this has generated a lot of backlash from the security and from the privacy space. And I know that you had many thoughts about this as well. So can you talk to me a little bit about what specifically this bill is and kind of what the fine print is for it, and really what it consists of?

RP: Sure. So what this bill does is that it would amend the various parts of the existing framework that we have for the issuance of warrants under federal statute and the issuance of other types of surveillance orders. In the past it has not been clear within the scope of those laws, whether the government could force a company to decrypt information or provide other technical assistance in order to provide access to the plain text of encrypted data. We’ve seen a couple of court decisions saying no, the existing laws do not go so far as to do what it is that you are asking to do, for example, in the Apple versus FBI San Bernardino case involving a warrant to get into a locked phone. So the goal of this bill, as I see it, is to clarify by making additions and amendments to those laws to that statutory framework, so that rather than relying upon the arguments that the Department of Justice and the FBI have made in recent years to say “these existing laws allow us to get what we want in terms of decrypting data.” Now, this is an admission, “okay, those laws don’t do that.” And therefore, there needs to be amendments to make that more clear. So this would specifically say that for providers of online services -so that could be pretty much anybody. It could be websites, it could be email, it could be social media. It could be apps and so forth – they would have to decrypt data upon demand. If you are a smaller provider with under a million users or customers or devices sold annually in the U.S., you will be subject to receiving a capability notice from the Attorney General saying build a decryption capability for us to get into your service or your device. If you have more than a million monthly active users or devices sold in the United States, annually, etc, then you would have to proactively redesign your products, your service in order to have a decryption capability, so that if and when you do receive a warrant or a wiretap order, etc., then you will already have the ability to decrypt that information for law enforcement. So this is a significant escalation from what we have seen in the encryption debate in recent years, where as I said, it’s mostly been relying upon interpretations of existing language and laws on the books and sort of novel stretching the envelope with regard to what those laws might say. And we have not yet seen any as overt bills as this that directly go to saying encryption out loud.

LO: Right. And I think you make a really good point there about the fact that we’ve seen several kind of bills and policies being discussed that are targeting encryption, but maybe not being so outward about it. Clearly, you’ve been looking at this for a long time and how the U.S. government is handling this. Can you talk a little bit just for context here, about how you’ve seen this debate between law enforcement and the tech industry and and encryption evolve over time? I mean, obviously, we’ve seen the big ones like in 2016, Apple versus FBI over the San Bernardino shooter and then it came to a head again, earlier this year too, right? I mean, the whole FBI asking Apple to help unlock the iPhone of the Pensacola shooter. So really what have you seen? And how have you seen this kind of pretext evolve over time?

RP: Yeah, I think that what we’ve seen has been a shift from, prior to about 2014, it was largely pretty straightforward for law enforcement to be able to go and get access to the encrypted data, because at the time, we didn’t yet have as much web traffic encrypted as there is now, we didn’t have strong end to end encryption built in by default into a lot of popular messaging services the way we do now. And iPhones and Android phones did not have device or file based encryption built in by default, the way that we do now. And so it was just easier for investigators with the kinds of legal process that I mentioned – wiretap orders, warrants, etc. – To be able to get decrypted data because that capability was still there. Since about six years ago, both device manufacturers and app makers have re-engineered their products to make that harder, out of a recognition that there’s a lot of risk to people’s personal data, sensitive information, financial information that can be from having that ability to access it. So by cutting law enforcement out of the loop, this is something that they take as a personal affront to themselves. But really, it’s more designed to keep out your cyber criminals, your hackers, your identity thieves, foreign state actors, as well as you know, company’s own employees. We’ve seen just recently with the Twitter hack, where that was allegedly, at least in part, a social engineering hack that took place in order to do a stupid cryptocurrency scam. And if that’s the case, we really dodged a bullet there because when employees have powerful access to people’s information, including in the Twitter hack, apparently at least one person’s direct message inbox was accessed, direct messages aren’t end to end encrypted, the more that companies realize that they need to build themselves into their threat models for their users, the more we’ve seen them embrace end to end encryption as a means of protecting users information. And so that I don’t think that it is accurate for law enforcement to say this is just about us. This is you targeting us. I think it’s more about companies saying, look, law enforcement does not have a monopoly on ensuring people’s safety, we have a responsibility to our users, to their privacy, to their security, to the real world safety impact of not securing their data adequately. And so we need to be taking this responsibility on for ourselves. So it’s really a matter of taking on more responsibility for users, rather than abandoning it and abandoning that responsibility, the way that law enforcement tries to depict it.

LO: And I know you also mentioned that we’re seeing a ton of kind of policy from the U.S. government around this as well. And one of these more recent related bills that we’re seeing is the EARN IT act. Can you talk about kind of that proposed bill and kind of what, how that’s different, I guess from the Lawful Access to Encrypted Data Act of 2020, how they’re the same and kind of how that fits into all of this as well.

RP: Sure. So there were rumblings about the EARN IT act bill as far back as around the beginning of the year back in January. The bill text came out in March, and there was an immediate public outcry because it was very clear that it was kind of a sneak attack on encryption. What that bill would do, and what still would do under the current amended version of it that has has been put forth more recently, is that it would curtail platforms – again, email, social media apps, etc. – Their immunity that they enjoy under federal law, a law called Section 230 against liability against state criminal charges and private plaintiff civil lawsuits for child sex abuse material on their services. Now, there’s already a federal law that governs what platforms are supposed to do when they learn about this kind of material on their services, and whom they have to report it to, and how long they have to keep it for etc. But rather than amending that law, this bill goes after Section 230, I think because there’s kind of a general public distaste now for big tech, people are kind of fed up. And section 230, while it’s sort of poorly understood is something that I think lawmakers or law enforcement officials who may be behind drafting both of the two bills we’re talking about today, may have seized upon as an expeditious way to kind of get public sentiment behind them, in addition to the fact that we’re talking about one of the most heinous possible crimes out there, which honestly, it’s surprising that this hadn’t been brought out before. It’s kind of a nuclear weapon to bring out child sex abuse material. When previously it’s been kind of lumped in with more of the terrorism focus that we had seen previously around the Pensacola base shooting and around the San Bernardino shooting.