Encryption expert Riana Pfefferkorn believes new proposed laws – the EARN IT Act and the Lawful Access to Encrypted Data Act – pose dire threats to cybersecurity and privacy.
In this Threatpost interview, Pfefferkorn, who is associate director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, lends valuable insight as to why proposed legislation is a “full-frontal nuclear assault on encryption in the United States.”
“I think we’re at a point where there is a rising tide around the world of threats to encryption and threats to our online freedoms more generally,” Pfefferkorn told Threatpost. “And it’s going to become more and more difficult, both as a regulatory atmosphere and as normative matter for companies to continue holding the hardline and saying, we cannot afford to go backwards on cybersecurity in light of the kinds of data breaches, information attacks and ransomware we face right now in the world.”
Listen to the full interview with Pfefferkorn below.
Below is a lightly edited transcript of the interview.
Lindsey O’Donnell-Welch: Hi, everyone, this is Lindsey O’Donnell Welch with Threatpost and I am joined today by Riana Pfefferkorn, the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society. Riana, thank you so much for joining us today.
Riana Pfefferkorn: Thank you for having me.
LO: So just for all of our viewers, Riana’s work focuses on investigating and analyzing the U.S. government’s policy and practices for forcing decryption and influencing crypto-related design of online platforms and services, both via technical means and through the courts and legislators. And so that is very applicable for what we’re talking about today, which is a recently introduced bill called the Lawful Access to Encrypted Data Act. And that was introduced in June and Riana I want to talk to you a little bit about this, but this bill argued that the ending of the use of “warrant proof encrypted technology” would “bolster national security interests, and better protect communities across the country.” Now, this has generated a lot of backlash from the security and from the privacy space. And I know that you had many thoughts about this as well. So can you talk to me a little bit about what specifically this bill is and kind of what the fine print is for it, and really what it consists of?
RP: Sure. So what this bill does is that it would amend the various parts of the existing framework that we have for the issuance of warrants under federal statute and the issuance of other types of surveillance orders. In the past it has not been clear within the scope of those laws, whether the government could force a company to decrypt information or provide other technical assistance in order to provide access to the plain text of encrypted data. We’ve seen a couple of court decisions saying no, the existing laws do not go so far as to do what it is that you are asking to do, for example, in the Apple versus FBI San Bernardino case involving a warrant to get into a locked phone. So the goal of this bill, as I see it, is to clarify by making additions and amendments to those laws to that statutory framework, so that rather than relying upon the arguments that the Department of Justice and the FBI have made in recent years to say “these existing laws allow us to get what we want in terms of decrypting data.” Now, this is an admission, “okay, those laws don’t do that.” And therefore, there needs to be amendments to make that more clear. So this would specifically say that for providers of online services -so that could be pretty much anybody. It could be websites, it could be email, it could be social media. It could be apps and so forth – they would have to decrypt data upon demand. If you are a smaller provider with under a million users or customers or devices sold annually in the U.S., you will be subject to receiving a capability notice from the Attorney General saying build a decryption capability for us to get into your service or your device. If you have more than a million monthly active users or devices sold in the United States, annually, etc, then you would have to proactively redesign your products, your service in order to have a decryption capability, so that if and when you do receive a warrant or a wiretap order, etc., then you will already have the ability to decrypt that information for law enforcement. So this is a significant escalation from what we have seen in the encryption debate in recent years, where as I said, it’s mostly been relying upon interpretations of existing language and laws on the books and sort of novel stretching the envelope with regard to what those laws might say. And we have not yet seen any as overt bills as this that directly go to saying encryption out loud.
LO: Right. And I think you make a really good point there about the fact that we’ve seen several kind of bills and policies being discussed that are targeting encryption, but maybe not being so outward about it. Clearly, you’ve been looking at this for a long time and how the U.S. government is handling this. Can you talk a little bit just for context here, about how you’ve seen this debate between law enforcement and the tech industry and and encryption evolve over time? I mean, obviously, we’ve seen the big ones like in 2016, Apple versus FBI over the San Bernardino shooter and then it came to a head again, earlier this year too, right? I mean, the whole FBI asking Apple to help unlock the iPhone of the Pensacola shooter. So really what have you seen? And how have you seen this kind of pretext evolve over time?
RP: Yeah, I think that what we’ve seen has been a shift from, prior to about 2014, it was largely pretty straightforward for law enforcement to be able to go and get access to the encrypted data, because at the time, we didn’t yet have as much web traffic encrypted as there is now, we didn’t have strong end to end encryption built in by default into a lot of popular messaging services the way we do now. And iPhones and Android phones did not have device or file based encryption built in by default, the way that we do now. And so it was just easier for investigators with the kinds of legal process that I mentioned – wiretap orders, warrants, etc. – To be able to get decrypted data because that capability was still there. Since about six years ago, both device manufacturers and app makers have re-engineered their products to make that harder, out of a recognition that there’s a lot of risk to people’s personal data, sensitive information, financial information that can be from having that ability to access it. So by cutting law enforcement out of the loop, this is something that they take as a personal affront to themselves. But really, it’s more designed to keep out your cyber criminals, your hackers, your identity thieves, foreign state actors, as well as you know, company’s own employees. We’ve seen just recently with the Twitter hack, where that was allegedly, at least in part, a social engineering hack that took place in order to do a stupid cryptocurrency scam. And if that’s the case, we really dodged a bullet there because when employees have powerful access to people’s information, including in the Twitter hack, apparently at least one person’s direct message inbox was accessed, direct messages aren’t end to end encrypted, the more that companies realize that they need to build themselves into their threat models for their users, the more we’ve seen them embrace end to end encryption as a means of protecting users information. And so that I don’t think that it is accurate for law enforcement to say this is just about us. This is you targeting us. I think it’s more about companies saying, look, law enforcement does not have a monopoly on ensuring people’s safety, we have a responsibility to our users, to their privacy, to their security, to the real world safety impact of not securing their data adequately. And so we need to be taking this responsibility on for ourselves. So it’s really a matter of taking on more responsibility for users, rather than abandoning it and abandoning that responsibility, the way that law enforcement tries to depict it.
LO: And I know you also mentioned that we’re seeing a ton of kind of policy from the U.S. government around this as well. And one of these more recent related bills that we’re seeing is the EARN IT act. Can you talk about kind of that proposed bill and kind of what, how that’s different, I guess from the Lawful Access to Encrypted Data Act of 2020, how they’re the same and kind of how that fits into all of this as well.
RP: Sure. So there were rumblings about the EARN IT act bill as far back as around the beginning of the year back in January. The bill text came out in March, and there was an immediate public outcry because it was very clear that it was kind of a sneak attack on encryption. What that bill would do, and what still would do under the current amended version of it that has has been put forth more recently, is that it would curtail platforms – again, email, social media apps, etc. – Their immunity that they enjoy under federal law, a law called Section 230 against liability against state criminal charges and private plaintiff civil lawsuits for child sex abuse material on their services. Now, there’s already a federal law that governs what platforms are supposed to do when they learn about this kind of material on their services, and whom they have to report it to, and how long they have to keep it for etc. But rather than amending that law, this bill goes after Section 230, I think because there’s kind of a general public distaste now for big tech, people are kind of fed up. And section 230, while it’s sort of poorly understood is something that I think lawmakers or law enforcement officials who may be behind drafting both of the two bills we’re talking about today, may have seized upon as an expeditious way to kind of get public sentiment behind them, in addition to the fact that we’re talking about one of the most heinous possible crimes out there, which honestly, it’s surprising that this hadn’t been brought out before. It’s kind of a nuclear weapon to bring out child sex abuse material. When previously it’s been kind of lumped in with more of the terrorism focus that we had seen previously around the Pensacola base shooting and around the San Bernardino shooting.
But it seems like public opinion didn’t sway even with really terrible attacks by Islamic extremists. And therefore, now it seems like okay, nobody wants to be seen voting against a bill that supposedly would help protect children. Right? And so the way that these two bills are distinct is that the original version of the EARN IT Bill, like I said, seemed like a sneak attack on encryption because it would have allowed this weird, punting the ball down the field and ultimately landing with the Attorney General, who is – at least currently – Bill Barr is notoriously anti-encryption. Unelected commission headed by him would be allowed to set the rules for the internet. And what those rules could easily be would be, you cannot provide end to end encryption because it would impede the ability to discover CSAM material on your service. Now under the revised version, there is no law that, that commission still exists but it doesn’t have any teeth anymore. It can make these recommendations for best practices. But platforms will if this bill is passed, lose the immunity I mentioned under 234 CSAM on their services irrespective of whether they follow those best practices or not. But that opens them up to a patchwork of state laws regarding the same topic.
I mentioned that CSAM is already legislated at the federal level, it’s illegal at the federal level, it’s illegal everywhere in the world. It’s also illegal under various state laws. And so by opening up platforms to liability to civil lawsuits and state AH criminal charges under those state level laws, this could also still provide a disincentive for platforms around providing end-to-end encryption or otherwise being unable to as efficiently or effectively look for CSAM as they are currently able to do. Many platforms already scan for that automatically. And there’s some concern about whether by having their hand forced, either to do this forcibly by the government, that could actually end up hampering investigations and prosecutions, or whether the reverse could be true where an amendment that’s been added into the the revised version of EARN IT by Senator Lahey would end up incentivizing platforms to encrypt everything because Lahey has attempted to add an amendment in that would more expressly protect encryption, although I’m not convinced that it goes far enough and doing that.
LO: Yeah, that’s, that’s really interesting, for sure. And you mentioned public opinion. I just wanted to ask, what have you seen in terms of public opinion because, I think a lot of what we are looking at is kind of in the security and privacy industry bubble, I guess. But obviously, I’m sure there’s plenty of opinions out there when it comes to data privacy, when it’s the consumers own data in an iPhone or whatever. So what are you seeing there?
RP: It’s interesting, because you know, I think to some degree, I may be kind of in my own bubble, but I do have alerts that tell me, “Okay, where is the EARN IT act being discussed in, you know, in the media,” for example. And it seems like when you see op-ed pieces around at least that bill, it can kind of go either way. There are a lot of people who are sounding the alarm, saying this would not help child safety. And it would be really detrimental to free speech online to privacy, potentially, to encryption. And yet, there’s also still a pretty strong vein of the sentiment I mentioned, that basically says, big tech is kind of too big for its britches. They’re not doing enough about this problem, which is a narrative that I think has been crafted by the Department of Justice. Given that platforms report millions and millions of pieces of CSAM on their services every year. They’re clearly doing a lot.
But sort of taking that tactic and saying they need to be forced to step up and do more rather than abandoning their duties towards the most vulnerable people among our population. So it kind of can go either way. And I think that’s why we’ve seen within our community and within other communities that would be adversely affected by EARN IT, which really is everybody on the internet, but some more than others. There have been really concerted efforts to oppose this bill, partially because there seems to be a sense that it might be more likely to potentially get passed into law, in part because of the child safety issue, in part because it is currently politically popular to introduce attempts to curtail the immunity granted by section 230 to go after big tech through whatever tool you might happen to have at hand. Whereas with the other bill the Lawful Access to Encrypted Data Act bill, that was only introduced by three Republican senators earn it had 10 or 12 bipartisan co-sponsors and has already moved out of committee in the Senate. It doesn’t really look like the other bill, with only three backers from one party behind it, it is going to be moving and that seems to be calculated. That bill was introduced just a few days before the amended version of earnings act. And because of that, it is so extreme and so aggressive and so overtly it’s an attack on there and that security and privacy, a lot of people are saying, look, this has the same co sponsor, Senator Graham from South Carolina -who’s up for reelection this fall – is a sponsor of both of those bills. Therefore, it seems like this is kind of putting out the real good cop, bad cop of saying, “Well, if you don’t like or it could be far worse, here’s this other alternative, doesn’t this make it look really reasonable, and and moderate by comparison,” and that may be true, but they both suck. And so there’s not really any reason to pass either of them. You don’t have to pick one or the other, the lesser of two evils is still evil.
LO: That’s certainly one approach by by them. So that’s interesting. And I wanted to ask you too before we wrap up here, where do you see this whole encryption debate going in the future? In terms of, do you see it evolving at all? Do you see any sort of potential solution or do you think that it’s going to have to get worse before it gets better? What do you think?
RP: I think that we are very entrenched. You know, when I have discussions with people who are on the other side of this issue, it feels like we’re both just reading off of a script. I think it’s gonna be difficult to get any movement on either side. I think that companies that provide encrypted services are under a lot of pressure. But they also are under a lot of pressure on cybersecurity issues. We’ve started to see class actions and steep regulatory fines for poor data security in recent years in the United States. And so they’re being pulled in two directions. And they also have to consider the international aspect as well. There are other fights going on over this same topic over what online platforms should be liable for, around whether they should be allowed to encrypt or compelled to decrypt for governments in other countries around the world, such as India and Brazil. And because there’s this kind of international aspect, I think that helps to play into the debate here in the United States where our government can say, well, Australia passed this law or India is going to pass these rules. Why should we get to have the same here. So I think we’re in a point where there is a rising tide around the world of threats to encryption and threats to our online freedoms more generally. And all of those are going to kind of play into each other. And it’s going to become more and more difficult, both as a regulatory atmosphere and as normative matter for companies to continue holding the hardline and saying, we cannot afford to go backwards on cybersecurity in light of the kinds of data breaches, information attacks, ransomware, etc., that we face right now in the world.
LO: Right. And there is certainly so much going on, as you mentioned with other countries in terms of – I think you mentioned Australia had their own kind of regulation that they’re trying to roll out to0 – and then one last question, I want to ask what are what’s the next steps for kind of the Lawful Access to Encrypted Data Act? What where does that go from here? I know it was first introduced in June but kind of what’s the next steps there?
RP: That one, you know, is currently languishing in committee. I don’t think it has come up for any hearings yet. I’m not even aware of any hearings that have been scheduled on it so far. So it sort of remains to be seen whether that goes anywhere, or whether it just kind of quietly dies on the vine. Congress doesn’t have a lot of time left in the current legislative session before a lot of people- including Senator Graham, that co-sponsored both bills – have to go back to their districts to campaign for reelection. There’s a lot of big things that they need to get done before then such as “Oh, I don’t know, making sure that millions of people don’t end up kicked off of the unemployment rolls and kicked out of their houses after they can’t afford rent anymore.” So it’s not clear to me that that bill is necessarily going to go anywhere, but it would probably first need to go through the same process that EARN IT has already done in terms of coming up for hearings and being voted out of the committee that it was introduced in so we’ll see. But EARN IT right now is still the more pertinent and immediate threat. And you can go to noearnitact.org which is a project of another organization called Fight for the Future that’s been really doing a lot of work campaigning against this bill. If you want to sign a petition, if you want to learn more about the bill, that’s the best place to start to take action.
LO: Great. Well, Riana, thank you so much for coming on and talking to us today about the encryption debate and where that’s going.
RP: Thanks for having me.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar.