friendica (DFRN) - Link to source

Stop Earn It Bill


The chances of this bill NOT passing are very small, in fact the final bill will probably be worse than the one being submitted for discussion and vote.

So I guess from encrypted emails we will have to go to encrypted files sent directly as files, and maybe even to encrypted text hidden inside photographs in those files... or switch to protonmail or other companies which are not under US laws--yet..

These articles are from ProtonMail, a service, a Swiss company, that I am switching over to from Gmail. Will post my new email address when I switch. In case you don't know about proton mail and are interested in a free encrypted email service and encrypted VPN here are the links :

Get a free secure email account from ProtonMail here.

Or a free VPN service to protect your privacy.

Free ProtonMail and ProtonVPN are funded by community contributions.

Any opinions

====================================
EARN IT is a dangerous law that could be used to break encryption

Posted on August 4, 2020 by Richie Koch

We recently wrote about a proposed law in the United States known as the Lawful Access to Encrypted Data Act (LAED Act), which would basically ban encryption by requiring companies to build a backdoor. But this is not the only effort underway in the US Congress that attempts to destroy privacy as we know it.

On July 2, the Senate Judiciary Committee voted to approve the EARN IT Act (an acronym that stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020). Now that it is out of committee, EARN IT is scheduled to be debated on the Senate floor. This bill, if passed, would require social media companies to monitor all of the content shared on their platforms, including private messages, ostensibly to prevent the spread of child sexual abuse material.

But the bill is loosely worded and gives extraordinary power to individual states to create their own rules. Advocates for online freedom say the legislation is ill-fitted for its stated purpose and may instead force Internet companies to monitor all their users’ activity, even if that means breaking encryption.

In other words, EARN IT can be used as a trojan horse to attack encryption, or as critics have put it, a “backdoor to a backdoor.” Despite the bill’s authors claiming it has nothing to do with encryption, it opens the door to states requiring measures that would undermine end-to-end encryption, such as scanning messages before they are encrypted.

While we recognize the scourge of child sexual abuse material online — and the role that Big Tech has played in its proliferation — EARN IT is a nonsensical approach to solving the problem. There are many proposed solutions, such as removing videos of children from the YouTube recommendation system, which has been used by pedophiles to create repositories of content. EARN IT instead would address the problem by making YouTube remove almost all the videos of children, period, as YouTube would not want to risk the increased liability it will face under the new law.

EARN IT only tangentially addresses the problem of abusive material online. It’s primary effects would be to require companies to monitor their users, enforce the censorship of legal information, and create a framework to break encryption.
How EARN IT works

Under US law, tech platforms are generally not legally liable for the content that users post on their platforms. This is the legal premise that has enabled Facebook and Twitter to become clearinghouses for fake news, slander, and extremist content. It is codified under Section 230 of the Communications Decency Act.

The original premise of EARN IT is that online and social media companies would have to “earn” their Section 230 protections by following specific best practices, which were going to be created by a 19-member federal commission.

Now, after all the amendments that were added in committee, the bill instead makes companies liable if child sexual abuse appears on their platform, full stop. In other words, abusive material would not be protected by Section 230.

The federal commission’s power has also been reduced, and its best practice list will be voluntary. However, that same amendment will allow all 50 states to write their own rules and regulations to prevent abusive material. If an Internet company does not comply with these laws, it opens itself up to potential state-level criminal charges.

This would result in a patchwork legal system where every state has its own set of rules, which would likely lead Internet companies to simply adopt the most restrictive state code as its standard. It only takes one state to require Internet companies to scan content before it is encrypted to undo end-to-end encryption.
How EARN IT attacks encryption and free speech

EARN IT would turn Internet companies into censors, and gives states the power to undermine end-to-end encryption.

By attacking Section 230, this bill guarantees that a large swath of legal free speech would be suppressed. To avoid liability, online companies will delete anything that is even tangentially related to the targeted topic.

We know this because we’ve witnessed it before. The Fight Online Sex Trafficking Act, which this bill now resembles, was meant to only target sex trafficking. However, in practice, it led to Craigslist deleting its entire “Personals” section and Microsoft monitoring Skype for vulgarity and nudity.

It could also be the bill that breaks encryption. Instead of a direct attack on encryption like the LAED Act, EARN IT would give the US states the power to undo end-to-end encryption. States could require Internet companies to scan messages before they are encrypted or create new ways to access end-to-end encrypted messages without touching the encryption. Australia’s Assistance and Access law plays this same semantic game by requiring Internet companies to help law enforcement develop malware that can access information after it has been decrypted on your device, thereby technically leaving the encryption intact.

Defenders of the bill say it has nothing to do with encryption. In fact, an amendment was introduced that protects Internet companies from these state and private lawsuits if they use encryption. But, as Riana Pfefferkorn explains in the Center for the Internet and Society blog, this protection only applies if a company’s liability is “because of” its use of encryption. If prosecutors can present other feasible grounds for their charges, even if it’s just a pretext, the case likely would have to go to court.

While the amendment protecting encryption is better than nothing, any American company that offers end-to-end encryption would have to be prepared to fight several long, costly court battles to see if it would hold up against state laws. Many companies and organizations cannot afford that type of litigation. The end-to-end messaging service Signal has already stated they would likely have to move their headquarters outside the US if EARN IT passes.
How would EARN IT affect you?

If you are a Proton user, you would avoid the most harmful effects of EARN IT. We are a Swiss company, and the data centers ProtonMail uses are all in Switzerland. Therefore, we are not subject to US laws. Any request from foreign law enforcement needs to be approved by Swiss authorities.

EARN IT would lead to a massive overreaction by Internet companies, as they will remove completely legal user content to avoid even the hint of liability. Or, as the ACLU said in its letter to the Senate Judiciary Committee, “Even if the speech covered by the law could be restricted without raising constitutional concern, the content moderation practices the companies will deploy to avoid liability risk will sweep far more broadly than the illegal content.”

If a state takes up the invitation of this law and passes regulations against end-to-end encryption, it will place many American companies, like WhatsApp or Signal in a tough place. Do they fight numerous costly court cases, break their encryption, or leave the US?
We cannot allow Congress to pass EARN IT

EARN IT chips away at one of the legal foundations for free speech on the Internet and jeopardizes the encryption that keeps the Internet secure in the name of preventing abusive material from appearing online. However, posting child sexual abusive material is already a federal crime, which means it is exempt from Section 230 to begin with. There are many more effective ways to prevent the proliferation of this type of material, like supporting the Invest in Child Safety bill, which would direct mandatory funding into the investigation and prosecution of pedophiles and abusers.

Furthermore, if this bill was not intended to target encryption, the lawmakers could have included strong explicit protections for encryption from the beginning. Instead, lawmakers added an amendment as a fig leaf, and it’s not even clear that it would defend encryption if it was tested out in court.

In short, EARN IT is vague, unnecessary, and unlikely to solve the problem it claims to be addressing. Instead, it would expand government surveillance and censorship and possibly force companies to create backdoors in their encryption.
What you can do

EARN IT has left committee, but it has not yet faced a floor vote in either the Senate or the House of Representatives. You can monitor its progress here.

We strongly encourage all Americans to write to their representatives in Congress and tell them to vote against EARN IT. This is your chance to remind Congress that you value your security and freedom of speech. The Electronic Frontier Foundation’s Action Center will help you get in touch with your representatives.

You can also protect your personal messages by signing up for a free email account with ProtonMail. This account will also give you access to the free version of ProtonVPN, which you can use to encrypt your online browsing.

EARN IT threatens everyone’s right to an Internet that protects people’s privacy and freedom. Help us stop it.

====================================
The Lawful Access to Encrypted Data Act wants to ban strong encryption
Posted on July 22, 2020 by Richie Koch

The United States Congress is considering a law that would destroy online privacy as we know it and essentially outlaw the most secure American tech products, such as Signal. The law would ban end-to-end encryption for large companies and require developers to break their own products at the request of law enforcement agencies.

The bill is called the Lawful Access to Encrypted Data (LAED) Act, proposed by three Republican Senators on June 23.

The stated purpose of the law is to give police and security agencies the ability to quickly access information contained on a suspect’s encrypted device. The LAED Act targets all data that is encrypted, both in transit and at rest. So not only would a tech company be forced to help the FBI break into a smartphone seized from a suspect, but it would also have to build a way to let officials monitor end-to-end encrypted communications, including whoever the suspect is talking to.

This bill reopens the door to the kind of government surveillance that led us to create Proton back in 2014. Make no mistake: This bill puts the privacy and security of everyone at risk, not only suspected criminals. If a back door exists, no one is safe.
What is the Lawful Access to Encrypted Data Act?

This law would require any American company with more than 1 million users in the US to be able to decrypt its users’ data and present it to law enforcement. It would apply to operating systems, messaging apps, videoconference apps, email providers, and cloud storage apps, as well as any device that has at least 1 GB of memory.

This bill also attacks the encryption system that keeps the entire Internet secure. The LAED Act would require a backdoor to HTTPS, the system that secures almost all websites with TLS encryption, so that law enforcement could access encrypted metadata. Without HTTPS, attackers can trace your online activity from site to site. If HTTPS were to be broken it would fundamentally alter how the Internet worked.
How would the LAED Act work?

The LAED Act would supplement the ways law enforcement agencies get permission to access private information. Currently, if authorities want to access data at rest (such as a photo on your computer) they need a search warrant, and if they want to access data in motion (such as text messages being sent over the Internet) they need permission for a wiretap.

Under the LAED Act, if law enforcement wants to decrypt a device to access data at rest, they would need to get a court order requiring technical assistance from the service provider in addition to the standard search warrant. The LAED Act would set a comically low bar to require decryption: All the police have to do is prove there are “reasonable grounds to believe” decrypting a device will help in the execution of their search warrant. In other words, if the authorities can prove that it is reasonable to expect that decrypting a device will yield useful information, then a judge must order that the device be decrypted and the service or device provider in question must decrypt their product.

Example: Under the LAED Act, police could require Apple to decrypt a suspect’s phone so that it can access the data it holds (presuming it can convince a judge that there are “reasonable grounds to believe” it contains useful information).

To give law enforcement access to data in transit, the LAED Act would add the word “decrypt” right into the technical assistance a service provider must perform if it is served with a wiretap warrant. A wiretap warrant lets law enforcement get access to the content of a message or conversation. This new wording would force any service provider that is served with a wiretap to undo its encryption and present the plaintext content of the messages in question to law enforcement.

Example: Under the LAED Act, law enforcement could require WhatsApp to decrypt a conversation so it can read messages exchanged between suspects so long as it can get a wiretap warrant.

The LAED Act also embeds this “decrypting” language directly into warrants that give police access to the metadata of text messages or emails, known as pen register/tap-and-trace warrants. So police would be able to see who sent the message and who received it.

This act would effectively require any American company that offers E2EE to redesign its product so that it can be decrypted.

If there is a service that does not yet have a known decryption method, the LAED Act lets law enforcement agencies issue an “assistance capability directive.” In short, this requires a company to develop (or maintain) a way around encryption. And this can be applied to any company, not just ones that meet the 1 million user threshold.

The bill even created a prize competition to incentivize researchers to develop new ways to break secure cryptography.
How would the LAED Act affect you?

As a Proton user, your data would remain secure. Because we are a Swiss company and store all your data on servers in data centers in Switzerland, ProtonMail is not subject to US laws. Any request from foreign law enforcement needs to be approved by a Swiss authorities. This means that even if this bill became law, we would be able to continue providing end-to-end encryption and zero-access encryption to our users, ensuring their messages stay secure and private.

However, if this bill is passed, the Internet’s overall security would dramatically decrease. Storing any personal data on your smartphone or conducting business online would become much riskier. As long as there is a backdoor in encryption, it is simply a matter of time before hackers discover it and exploit it.

LAED would also have immediate, concrete impacts. Companies might deploy weaker encryption on their products in the US. The ban on end-to-end encryption in the US means that if WhatsApp and Signal want to keep their encryption, they would likely have to remove their apps from the US versions of the App Store and Google Play. The encryption used on Apple’s iMessage and Android, iOS, macOS, and Windows devices would all have to be redesigned with backdoors.

Given the United States’ role in tech development, this law could also have a profound impact on the use and application of strong encryption around the world. If US companies develop the ability to build backdoors into existing secure encryption systems, that technology will be in high demand worldwide, especially by authoritarian governments.
The LAED Act must be stopped

This is an explicit attack on encryption that rejects the advice of virtually every security researcher. The problem, as we have stated again and again, is that any encrypted platform with a backdoor is fundamentally insecure. There is no such thing as a backdoor that only lets the good guys in. If there is a vulnerability, eventually, someone will find it and exploit it.

Once these vulnerabilities are built into platforms, the key to exploiting them will become the number one target of every hacker. Keeping these keys secure would be almost impossible. The US government has failed at this task in the past, like when a group known as the Shadow Brokers stole and published CIA hacking tools.

If every communications service has a backdoor, then the entire premise of the Internet as we know it collapses: The Internet and all the knowledge-sharing, self-expression, and economic transactions it enables could not function without encryption. If people are afraid that hackers will read their emails or steal their credit card numbers, the Internet will become useless.

This law is also indicative of a disturbing trend that is sweeping Western democracies. It is simple to trace the “assistance capability directive” in the LAED Act to the “technical assistance notices” in Australia’s Assistance and Access Law, which was inspired by the UK’s Investigatory Powers Act. All of these laws whittle away at their citizens’ rights and the security of the Internet. Seeing such a law passed and enforced in the US could encourage other countries to pass their own version of the LAED Act.
What you can do

The LAED Act is currently sitting in the Committee on the Judiciary. It has not faced a floor vote in either the Senate or the House of Representatives. You can monitor its progress here.

If you are concerned about your privacy, you can also sign up for a free email account with ProtonMail. This account will also give you access to the free version of ProtonVPN, which you can use to encrypt your online browsing.

We also urge everyone to read the bill itself along with other explainers of how the bill will work. The Electronic Frontier Foundation has a helpful analysis of the bill.

If you are an American who is worried about your right to privacy, you should call or write to your representatives in Congress and tell them you are against the LAED Act. By voicing your support for strong encryption, you will be contributing to the fight to keep the Internet secure, private, and free.
Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Learn More
Preserving privacy rights in anti-terror laws
January 21, 2019 in Privacy
Our mission is to promote security, privacy, and freedom on the Internet. That encompasses technical solutions, such as ProtonMail and ProtonVPN, but also policy solutions. The right to…
Is Privacy Under Attack?
November 18, 2014 in Privacy
Updated on January 28th, 2019 Most of us at ProtonMail are part of the last generation born before the World Wide Web was created in 1989 at CERN…
The real problem with encryption backdoors
June 22, 2018 in Encryption
For decades, law enforcement agencies have lobbied to force technology companies to weaken their own security protocols by adding an encryption backdoor. The FBI has even recently come…
EARN IT is a dangerous law that could be used to break encryption
August 4, 2020 in Encryption
We recently wrote about a proposed law in the United States known as the Lawful Access to Encrypted Data Act (LAED Act), which would basically ban encryption by…

--
Keith
Member: Data Hoarders Anonymous