LAED Act Poses Direct Threat to End-to-End Encryption

Remember the EARN IT Act, which stirred up so much contention back in mid-March? Well, there’s another Act threatening end-to-end encryption too – but it might be little more than a foil for its predecessor.

EARN IT first surfaced as a discussion draft back in January before its official introduction in March. It uses the specter of child sexual abuse material to impose ‘best practices’ on technology companies. Any companies not following those best practices could be subject to removal of their protections under Section 230 of the Communications Decency Act.

Section 230 is what built the modern internet. It protected online companies from liability for what people posted on their websites. Without it, people could have sued the likes of Facebook and Twitter for illegal content that users posted using their accounts. It enabled those companies to exist in their current form.

EARN IT’s best practices would be the product of a 15-member government commission, and privacy advocates worried that they could include backdoors for encryption. This is something that Attorney General William Barr has advocated for in the past.

In late June, senators introduced a bill that goes after end-to-end encryption directly. Called the Lawful Access to Encrypted Data Act (LAED), it forbids providers from offering end-to-end encryption in online services and devices unless it can be circumvented by law enforcement. If a provider hasn’t already built such a backdoor, then the Attorney General can force it to do so using an “assistance capability directive.”

In that sense, it is akin to the UK’s Investigatory Powers Act, and the Assistance and Access Act, which is now law in Australia.

Once again, the debate between those wanting to protect the vulnerable and those wanting privacy comes to a head. The former believe that encryption is a terrible thing because it enables bad people to do bad things under cover. The latter worry that governments will overreach their powers, snooping on legitimate communications that have nothing to do with them. They also fear that foreign actors and cyber-criminals could find and use those back doors for their own illegitimate purposes.

No technology is immune to compromise. Think back to the mid-90s, when the US attempted to introduce a chip that would enable it to decode all communications. Cryptography expert Matt Blaze discovered a critical flaw in the Clipper Chip, and shortly the idea was scrapped.

If enacted, LAED would make it far more difficult for messaging services using end-to-end encryption to survive, at least in the US. However, it wouldn’t be impossible. Just ask Telegram, which Russia tried to ban. The country backed down in June, effectively admitting defeat.

Even if the US government succeeds in introducing an encryption backdoor, ne’er-do-wells could quite easily encrypt their content using other means before sending it along those channels. There is no shortage of encryption software using tried and tested protocols.

In a write-up on the Stanford Law School’s Center for Internet and Society blog, associate director of surveillance and cybersecurity Riana Pfefferkorn argued that LAEN is so terrible from a privacy perspective that it might be little more than a stalking horse for EARN IT. The bill may be so egregious that people decide to choose the lesser of two evils. Both bills, after all, come from the same author: Senate Judiciary Committee chairman Lindsay Graham.

What’s Hot on Infosecurity Magazine?