A New Bill Could Punish Web Platforms For Using End-To-End Encryption

Lindsey Graham (R-SC) is working on a bill that would reduce legal protections for apps and websites, potentially jeopardizing online encryption. The Verge reports: The draft bill would form a "National Commission on Online Child Exploitation Prevention" to establish rules for finding and removing child exploitation content. If companies don't follow these rules, they could lose some protection under Section 230 of the Communications Decency Act, which largely shields companies from liability over users' posts. Reports from Bloomberg and The Information say that Sen. Lindsey Graham (R-SC) is behind the bill, currently dubbed the Eliminating Abusive and Rampant Neglect of Interactive Technologies (or EARN IT) Act. It would amend Section 230 to make companies liable for state prosecution and civil lawsuits over child abuse and exploitation-related material, unless they follow the committee's best practices. They wouldn't lose Section 230 protections for other content like defamation and threats.

The bill doesn't lay out specific rules. But the committee -- which would be chaired by the Attorney General -- is likely to limit how companies encrypt users' data. Large web companies have moved toward end-to-end encryption (which keeps data encrypted for anyone outside a conversation, including the companies themselves) in recent years. Facebook has added end-to-end encryption to apps like Messenger and Whatsapp, for example, and it's reportedly pushing it for other services as well. U.S. Attorney General William Barr has condemned the move, saying it would prevent law enforcement from finding criminals, but Facebook isn't required to comply. Under the EARN IT Act, though, a committee could require Facebook and other companies to add a backdoor for law enforcement.

End-to-end encryption ...

[b0s0z0ku]

Should always be done with an open-source product that can be audited for backdoors like PGP, not using some proprietary software from slime like Facebook (which owns Whatsapp and Messenger). The actually crypto software should always be divorced from the provider to prevent the provider from being subject to outside pressure.

Re:

[110010001000]

Exactly. This guy gets it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[browndonahue]

Blockchain networks can provide the key escrow service. See https://www.sense.chat/ [sense.chat] for an example.

Re:

[NoMoreACs]

The entire Republican Party should do the right thing for the country and retire and maybe put someone in place with functioning brain cells and ethics.

FTFY.

Re:

[110010001000]

Who knows? They are closed source. They could literally be doing anything.

Re:

[The New Guy 2.0]

The thing is, a P2P messaging protocol would be wildly popular if everybody could agree on the standard.

Re:

[Kjella]

The thing is, a P2P messaging protocol would be wildly popular if everybody could agree on the standard.

The thing is, that's simply not true. IRC with DCC chat is 30 [wikipedia.org] years old, there's probably older examples. Email, usenet groups, homepages, blogs etc. were decentralized now it's centered around a few large services like Facebook, Twitter, Instagram and such where the client and the protocol and the provider is one and the same. I won't go into long deliberations about why but the average user has never put much value on decentralization. Particularly the absence of any centralized authority to keep bots, sp

Re:

[fred911]

IRC with DCC still required cooperative server networks to facilitate client initial introductions, only then were services P2P.

But outside of TOR all HTML services are centralized [ aside form caching services], what are you talking about.

Also if IRCD were really decentralized why'd we have to run eggdrop to maintain channel control over server splits.

I think my idea of decentralization might differ than yours.

Re:

[NoMoreACs]

The thing is, a P2P messaging protocol would be wildly popular if everybody could agree on the standard.

Which brings up the question: "What keeps you from sending already-encrypted text over even a back-doored system?"

Parnas just said Graham was in the loop too

[goombah99]

You can see why Graham would want end to end encrytption. No more records to subpoena..

Re:

[jungletek]

I knew you were a moron; you've managed to get the opposite of the facts, despite the summary being in the first sentence.

Congrats.

Re:

[LifesABeach]

Lets first assess intent, can the honorable senator Graham spell "encryption" ?

Re:

[AHuxley]

What about a VPN?
Know the gov is collecting it all from the ISP vs a VPN product?

Re:

[KingBenny]

hmm, im thinking for my hobbyproject simply 'no posts' on my behalf and use disquss or something for the rest ... im just a bit stuck with my zero cookie policy as i doubt disquss comes without it ...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[110010001000]

We will get right to that, Mr. Durden. Right after we impeach Trump and stop Brexit.

Re:

[gweihir]

Brexit happens in 3 minutes. Seems that one has failed...

In other news, stopping authoritarian scum from spying on everybody is an on-going effort and will remain so.

Re:

[The New Guy 2.0]

And this may have been placed in the Senate Hopper, but the Senate is busy on the Impeachment. That, and Brexit tonight, Iowa Caucuses Monday, and the Super Bowl on Sunday... news is a little busy right now.

Re:

[SuricouRaven]

I wonder what announcements have been made to take advantage of the busy news period. If I had an unpopular policy to announce, I'd do it right now.

Re:

[The New Guy 2.0]

Yep, this is a well protected "Take out the trash!" weekend. Anybody got the AP Wire and can submit stories to Slashdot?

Re:

[SuricouRaven]

Trump issued an order permitting the US to utilize land mines again, though only under 'exceptional circumstances.' He took the chance to insult Obama while he was at it, of course.

Re: Time to hit the reset switch

[110010001000]

Itâ(TM)s a joke snowflake. Donâ(TM)t take everything so seriously

Re:

[Z80a]

No you won't.
You will just get the bill, replace "children" by "hate speech" and send it back for voting.
Same power grubbing shit, different buzzwords and megacorporations behind the scenes, which is why there is even fight between the two sides.
Exxon Mobil and Lockheed martin versus Google and Disney.

And of course

[Dunbal]

But it's for the sake of the children! Why do you hate the children? (ad nauseam)

Re:

[gweihir]

I find it interesting that terrorism is not used anymore. By https://en.wikipedia.org/wiki/... [wikipedia.org] the next thing should be organized crime when finally everybody has gotten really sick of the "children" argument.

Re:

[Rick Schumann]

We have a terrorist in the Whitehouse right now (the 'Terorist-in-Chief') so it would be disingenuous for them to use that as an excuse.

Re:

[jungletek]

Trump Destroys Self?

Just let it run its course.

Re:

[Rick Schumann]

See: https://slashdot.org/comments.... [slashdot.org]
I got every reason in the world to consider the sonofabitch a terrorist.

Re:

[Rick Schumann]

https://news.google.com/search... [google.com]
These are the sort of threats you hear from terrorists. It's also the sorts of crimes against humanity that ISIS/Daesh have committed. This is why Trump is a terrorist. Congratulations, asshole, this is who you voted for, I hope you're proud of yourself.

Re:

[gweihir]

Incidentally, the original meaning of "terrorism" is a form of Government where the population is kept under control by fear. The sad thing is that Trump is just one of a whole army of cave-men that managed to get into power.

Re:

[Rick Schumann]

One way or another he's going to go. I'd hate for it to take another 4 years. Part of me hopes someone manages to kill him, but he knows people are gunning for him so that's very unlikely. We might get rid of him this year if some people will get their heads out of their asses. If it does take 4 more years then maybe his voter base will finally see the mistake they've made when their kids are dying of cancer from polluted and poisoned air and water, and they're more poverty-striken than they've ever been be

Re: And of course

[John Trumpian]

Finally some insight! It is not about childporn, it is bot about terrorisme, it is not about criminals. It is about controlling the mass! I will drop all my encryption once the govement will drop theirs...

Re:

[ShanghaiBill]

But it's for the sake of the children!

Is it?

Children may be harmed in the creation of child porn, but there is little evidence that they are harmed by possession or distribution.

Child molestation is correlated with possession of CP, but that is not the same as causation. Countries with more restrictions on CP do not have lower levels of molestation. Some studies have found a negative causative factor, so access to CP may reduce harm. In Japan, child sex dolls have been shown to reduce molestation by giving pedophiles an alternative outlet. Y

Re:

[The New Guy 2.0]

The ban on possession and distribution is intended on pulling the money out of it... too bad that's not working.

Re: And of course

[ArmoredDragon]

I doubt they would actually be illegal here as pornographic artwork featuring children has been deemed constitutional, so I doubt a doll would be any different. However, you're probably unlikely to be able to make or sell them.

All it really takes is one viral tweet to have any potential business partners refuse to do business with you. Your supply chain would be practically non-existent, as would your means of taking payment, and your means of distribution. This is also why I doubt you're ever going to find

Re:

[fred911]

'Why do you hate the children?'

It's because we all must really want to use, traffic and take nude photos of them. My gosh, where has our moral compass gone.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thedarb]

Have you MET children?!? *shudder* ;)

The GOP & Right Wing Dems want to kill section

[rsilvergun]

and turn the Internet back into Cable TV. It makes sense, I pointed out here [slashdot.org] the effect alternate information channels can have on politics.

Make no mistake, Section 230 _is_ the Internet. Without it no website can risk having user made content except the largest, most establishment friendly ones. You'd be sued into oblivion. The people who drafted Section 230 knew that, it's why the law exists. And the people attacking it know that, it's why they want the law gone.

Along with Net Neutrality the end of Section 230 means the end of the Internet. What scares me is how few people realize the threat this poses...

One more point I forgot to make

[rsilvergun]

if the people in charge knew what the Internet would become they never would have let it happen. Remember that.

Re:

[Rick Schumann]

More and more often I wish the Internet never went public.

I still think the public Internet will be good

[rsilvergun]

but like all good things we have to fight for it. Think of freedom and democracy like a machine. You have to do maintenance on it. And no, not with anything exciting like blood. Put blood in your gas tank and you'll kill your engine. Nope, you've got to do the boring, dirty work of voting.

Re:

[fred911]

Wong. TCP/IP was designed to assure packets got delivered regardless of loss of usual or abnormal routing. DARPA did an excellent job of assuring the network was resistant, and to this day still is.

That basis alone assures the standards for network cooperation that is and has been ultimately redundant and extremely hard to control, alter or moderate.

It's the abortions above that are being tested. But the lower level is like a torrent swarm, kinda hard to put that cat back in the bag.

Re: One more point I forgot to make

[John Trumpian]

TCP/IP was not "invented" they both was part of the same suite and was bundeld. Transmission Control Protocol & the Internet Protocol.

Re:

[Cajun Hell]

Make no mistake, Section 230 _is_ the Internet. Without it no website can risk having user made content except the largest

I agree, but websites aren't being threatened by this, are they? This looks like an attempt to regulate software, except that it tries to pressure developers by revoking something a website needs but an app developer doesn't need.

Your websites/services and your software shouldn't be single source anyway. One of the basic rules of computers is this: never get hardware, software and servi

Websites are software

[rsilvergun]

And yeah, Linsdsay's following orders. Not Putin, more likely the surviving Koch Brother and the other mega rich that want to control your media and mine.

Re:

[Rick Schumann]

What do you mean, 'turn it back into Cable TV'? It already is: 'streaming' services, 'shopping', etc. Wikipedia and the like are PBS.

There's a huge anti-Establishment media

[rsilvergun]

on the Internet. Secular Talk, TYT, Contra Points, Beau of the Fifth Column, etc, etc. All that goes away without Section 230 and you're left with CNN, Fox News & MSNBC all pushing a pro-corporate Establishment narrative.

Re:

[Rick Schumann]

I'm not saying I like it the way it is or that I want them to get away with wrecking what's left of the Internet I'm saying that Corporate America and all the assholes of the world have already done quite a job of wrecking it for the large part. Some days I really think that it's not going to survive at all, they'll wreck what little value there is in it, it'll just become everyones worst nightmare, and we'll all just stop bothering with it at all. You have to admit the way things are going in the world too

Re:

[AHuxley]

Section 230 is used by ad brands to play at political censor as a publisher and stay as a protected telco..

Well, the Internet is more than US-America.

[BAReFO0t]

I'm not under US law. So I wouldn't have to give two shits about that. I only do, because I care about you guys.
But the Internet would live on, even without the USA.
If push comes to shove, I'll set up a few VPNs for you guys, like I do for others in other countries. (I can do and have done steganographically hidden VPNs via big websites. Bandwith sucks there though. :)

Re:

[epine]

I'm not under US law. So I wouldn't have to give two shits about that.

Then you've never bothered to educate yourself on the difference between having rights in theory and having rights in practice.

Because if America falls, the international practice of unfettered encryption will take a massive gut short, and whatever picayune legal regime you presently operate under will become 50% more theoretical rather than actual.

Last person to proudly post about not having to give two shits: Well, I live in the Liberta

It's every man for himself from now on

[AndyKron]

From the actions from the Senate today it's obvious that the rule of law doesn't exist in this country anymore so do whatever the fuck you want to from here on out.

Re:

[frank_adrian314159]

Wrong! The Senate is only shouting your betters' philosophy for the past 10000 years or so: Laws are for little people.

Sounds fine

[Cajun Hell]

The makers of any decent user-to-user direct communication software don't need Section 230 protection, because they're not involved anyway. They just make the software that the users are using, but wouldn't be hosting or involved in the communication any more than a manufacturer of pens and pencils are. (Think of it this way: even without any protections at all, is the Mozilla foundation liable for what you post in a Salshdot textarea using Firefox?)

The only entities that would be touched by this, are the ones who make unusually shitty software which puts the company in between the users, needlessly getting involved in the communication (probably for ad purposes). Nobody should be using these types of apps, both for that reason and also because they're always proprietary so you don't even know if they encrypt competently, and also since they can't ever interoperate with one another.

This is profoundly unthreatening, and if it were to have the force of law, it would probably overall increase security and quality. I support Graham's idea (which probably means he shouldn't be supporting it).

Re:

[The MAZZTer]

AFAIK most people will have a firewall or router, even a simple ISP supplied one, that blocks unsolicited inbound traffic by default. This is a good thing since it prevents port scanners from scanning PCs for vulnerabilities to exploit. Any app that connects people is going to need to use a central server so only outbound connections need to be used, and the server can pass along messages or even just help two users punch through a firewall and connect directly to each other.

Re:

[Anubis IV]

The makers of any decent user-to-user direct communication software don't need Section 230 protection, because they're not involved anyway.

You seem to not be aware of how encryption works. Namely, for end-to-end encryption to work there needs to be an exchange of keys. If you’re not doing it via back channels or in-person, which very few people are, you need to rely on a company to facilitate the key exchange. In the interest of a decent user experience, nearly every decent company that provides end-to-end encryption facilitates that exchange.

So, yes, they are involved and do need to be worried. It isn’t just the slime balls that a

Re:

[Namarrgon]

They just make the software that the users are using, but wouldn't be hosting or involved in the communication

Well, that's not true of a lot of modern communication software, including end-to-end encrypted apps like Signal & Telegram, but stripping liability protections is just as bad for everything else.

All messages must be stored somewhere until it can be delivered. Everything from instant messaging clients to email and IRC down to texts on your phone has to do this - and all communication server owners could be liable for messages that were temporarily hosted on their servers, regardless of where the messag

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Like WhatsApp... LOL

[RabidTimmy]

I thought WhatsApp was end to end encrypted. Facebook just used the app to pull all of the useful information for advertising off your phone before encrypting your message.

Whatsapp is end-to-end encrypted.

[BAReFO0t]

It got the same protocol as Signal, because Moxie decided it was more important than stupid partisanship.

Of course it is rather pointless, since it is equivalent to if the allies in WWII had hired Nazis as personal communication assistants. :)
What does it matter how good their encrytion protocol is, when you first have to give it to the enemy, for him to encrypt it, forward it to another enemy, who will then decrypt it and give it to the recipient.
And "independent" audit my ass. If the source isn't open, it

You gotta love how these sorts of bills...

[mark-t]

... are always advocated by people that are completely ignorant of the underlying technology.

Did any of them ever stop to think that there's an actual reason for that?

And no, it's not because programmers are lazy. It's because you can't actually effectively legislate what kinds of things people can do with numbers.

Because that's all computing is. Any appearance that something useful is happening is only the product of an illusion that we happen to associate with obtaining some desired outcome.

Re:You gotta love how these sorts of bills...

[UnknownSoldier]

What do you expect? Sen. Lindsey Graham is the same clueless schmuck who sits on the Internet Policy Subcommittee but has never sent an email.

**Facepalm**

--
If progress is forward, then what is congress ? :-)

Re:

[retchdog]

"you can't actually effectively legislate what kinds of things people can do with numbers"

well, i mean, yeah sorry but you sorta can. you can't stop people from doing things with numbers, but you can slow them down by a factor of, uh, like several billion. at least insofar as you can legislate anything at all.

Fuck em....

[Indy1]

I moved my web and mail server to Switzerland a few months ago. They can ban everything under the Sun and I'll continue to enjoy strong encryption.

Re: Fuck em....

[aRTeeNLCH]

FYI,... Not saying it's worse, but all email crossing the Swiss borders either way has the headers kept and stored for future reference. Due to some anti terrorist or save the children law about 10 to 15 years ago. You may want to look up Onyx and Prism.

Think about the Teens' Rights...

[The New Guy 2.0]

Teens want to be able to communicate with police about abuse from their parents.
Teens want to be able to talk about their love of a schoolmate without their parents knowing.
Teens want to be able to go out at night without their parents following.
Teens want to be able to access their bank account without letting their parents see their balances.
Teens want to be able to invest in stocks without their parents selling everything.
Teens want to be able to play poker without their parents disconnecting their bandw

Let's see if I can explain this in terms Graham...

[mark-t]

... will understand.

I make no promises here, but let's just give it a go.

Let's suppose that I know that you have the ability to listen in on a phone conversation I am having, but I don't want you to know what I'm saying.

If, say, you only understood English, but both I and the person I wanted to talk to could speak, say, Mandarin, then we could effectively confound your listening attempts.

But what if I didn't know what languages you knew?

Well, I could get together with my friend, and we could create a coded system together, and we could exchange confidential messages that way, secure in the knowledge that even if the messages were intercepted, they would not be understood. The phone company is not involved in the encryption mechanism, so they have no ability to help you decrypt it.

Because of the nature of how encryption works, it might even be literally *impossible* for anyone to decrypt the message without knowing exactly how it was actually encrypted in the first place. While numerous standard encryption algorithms do exist, the actual search space for how a message can be encrypted is unimaginably vast, and no amount of increased computing power can actually make decryption of such messages into a tractable problem.

So... leaving aside that it is effectively trying to legislate what people are even allowed to think, I ask.... how does Graham intend to enforce this sort of thing?

Re:

[The New Guy 2.0]

Every time a bad guy is arrested we seem to get the story "The FBI wants to look at his iPhone, but can't!" I wonder what percentage has some other phone...

Re:

[Insanity Defense]

Every time a bad guy is arrested we seem to get the story "The FBI wants to look at his iPhone, but can't!" I wonder what percentage has some other phone...

All criminals use the iPhone because if you're going to steal a phone you steal the most expensive one. You also steal from richer people who are most likely owners of iPhones because they are expensive.

Re:

[omnichad]

I ask.... how does Graham intend to enforce this sort of thing?

To use your example, by forcing them to use a known language like Mandarin. While it's not intelligible directly to most people here, it can be recorded and decoded later. That's exactly the kind of encryption they want - keys held by both the corporation and the government.

Re:

[mark-t]

Which is why I gave a second example, of using some encoding to send and receive messages. Without knowing the structure of the mapping, unless it is very rudimentary such as a cryptographic key, you could have a very hard time decrypting it.

And of course, a one-time pad would make any attempts at decryption impossible.

Finally, with a suitable encryption technique, you may not even realize that the message was actually encrypted in the first place.

Learning to read is an art

[guruevi]

All the bill does is establish a commission that is tasked to protect children. There is nothing in the bill about encryption or even hinting at introducing any regulation.

It's possible the commission eventually suggests that encryption is evil, but thus far, the only people introducing anti-encryption suggestions has been the DOJ and FBI, agencies not very beloved at this point by the Republicans, there is actually a bill introduced by Ted Lieu and Jim Jordan (ENCRYPT act) that if Congress ever got back to doing its job could actually get to the floor. That act is introduced "To preempt State data security vulnerability mandates and decryption requirements."

Does it occur that this is just ...

[MxMatrix]

... abusing child abuse for attacking encryption?

This is about PROTECTING child rapists.

[BAReFO0t]

Note how it says removing child abuse CONTENT. Not attching the actual rapists! Merely hiding them!

I'd investigate Graham for being part of a child rape ring right now! And for trying to protect child rapists, in any case.

-5 Author is a troll, headline is misleading

[turbotalon]

It is clearly stated in the summary "The bill doesn't lay out specific rules. But the committee ... is likely to limit how companies encrypt users' data." So the bill doesn't restrict encryption or penalize companies that have end-to-end encryption, but the rulemaking body it sets up MIGHT do so. Wow. Way to go Slashdot. Headline was misleading and the alarm in the headline was misplaced.

The Jokes Write Themselves

[denny_deluxe]

Lindsey Graham, pushing a law to prevent child exploitation? Seriously?

God help us.

[RespekMyAthorati]

Reports from Bloomberg and The Information say that Sen. Lindsey Graham (R-SC) is behind the bill,

But the committee -- which would be chaired by the Attorney General

Fucking shithead Republicans.