Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Communications Government Privacy United States

Signal Threatens To Dump US Market If EARN IT Act Passes (pcmag.com) 82

Signal is warning that an anti-encryption bill circulating in Congress could force the private messaging app to pull out of the U.S. market. PC Magazine reports: Since the start of the coronavirus pandemic, the free app, which offers end-to-end encryption, has seen a surge in traffic. But on Wednesday, the nonprofit behind the app published a blog post, raising the alarm around the EARN IT Act. "At a time when more people than ever are benefiting from these (encryption) protections, the EARN IT bill proposed by the Senate Judiciary Committee threatens to put them at risk," Signal developer Joshua Lund wrote in the post. Although the goal of the legislation, which has bipartisan support, is to stamp out online child exploitation, it does so by letting the U..S government regulate how internet companies should combat the problem -- even if it means undermining the end-to-end encryption protecting your messages from snoops.

If the companies fail to do so, they risk losing legal immunity under Section 230 of the Communications Decency Act, which can shield them from lawsuits concerning objectionable or illegal content posted on their websites or apps. "Some large tech behemoths could hypothetically shoulder the enormous financial burden of handling hundreds of new lawsuits if they suddenly became responsible for the random things their users say, but it would not be possible for a small nonprofit like Signal to continue to operate within the United States," Lund wrote in the blog post.

This discussion has been archived. No new comments can be posted.

Signal Threatens To Dump US Market If EARN IT Act Passes

Comments Filter:
  • Last I heard it wasn't going anywhere.

    • Good. I hope it dies
    • by DaMattster ( 977781 ) on Thursday April 09, 2020 @05:12PM (#59926370)
      I definitely hope it dies because weakening encryption makes it easier for nefarious actors to break it. Nothing good comes from weakening encryption. I use OpenBSD so I have little to worry about from the government. Everything I use is OpenBSD powered. Still, if a bill like this goes somewhere and becomes law, I could be arrested for using an open source product with strong encryption.
      • by ShanghaiBill ( 739463 ) on Thursday April 09, 2020 @05:21PM (#59926412)

        weakening encryption makes it easier for nefarious actors to break it.

        This is especially true if you consider the American government to be a nefarious actor.

        • This is especially true if you consider the American government to be a nefarious actor.

          ~SHANGAI BILL

          Your directives are null.
          This comment is not sanitation.
          H

          Account number #739463 Promulgated misinformation to this site resulting in societal harm. When closing the enterprise of air travel might have saved lives, this account argued their effect was a "wash".

        • Comment removed based on user account deletion
        • The opinion [wired.com] of the real Signal developer (Moxie Marlinspike not Joshua Lund) is:

          From very early in my life I've had this idea that the cops can do whatever they want, that they're not on your team. That they're an armed, racist gang.

          And Marlinspike's view of the police [moxie.org] is:

          Police already abuse the immense power they have, but if everyone's every action were being monitored, and everyone technically violates some obscure law at some time, then punishment becomes purely selective. Those in power will essentially have what they need to punish anyone they'd like, whenever they choose, as if there were no rules at all.

          Which is much the same as Ayn Rand [archive.org]'s

          There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.

        • by Shaitan ( 22585 )

          Indeed or any government for that matter.

      • I could be arrested for using an open source product with strong encryption.

        That's not what this law does. It removes legal immunity to copyright claims for companies for what people post if they use end-to-end encryption. This is still bad, but it only makes it so Google, FB, etc cannot offer E2E encryption services. You can still do whatever. And Google, FB, etc. could still write E2E software, just not let you use it on their cloud.

        • Does https count as a liability? It is a mean of end to end encryption between user and the web site going over internet provider networks.
          • by amorsen ( 7485 )

            No, because the when the company is served a warrant they can simply give the police access to their end of the HTTPS connection. They have the key. The problem comes when a someone provides a way for two other people to communicate without the provider being able to listen in.

          • Interesting and excellent point. Sure, it probably would be technically the case. But there's a commission that would figure out the rules how it applies and they probably say blocking HTTPS wasn't "best practices".

      • by Agripa ( 139780 )

        I definitely hope it dies because weakening encryption makes it easier for nefarious actors to break it.

        Domestic law enforcement agencies including the DEA and FBI are not nefarious actors. Ask them.

    • Last I heard it wasn't going anywhere.

      That's why it's stalling on when the second reading for it will happen. Political whips are out drumming support with exchange. Senators can trade out their top list item for a vote on this in the Republican whip side and Democrat whip side is trading up for moderate judges for it. However, it doesn't look like the far left and moderate right are up for trades with the whips. But moderate lefts and far rights seem on board to get some of their to-do list done with this bill. However, the Class 2's that

  • EARN IT? (Score:3, Interesting)

    by kurkosdr ( 2378710 ) on Thursday April 09, 2020 @05:14PM (#59926382)
    EARN IT? is that a coded message to US citizens with regards to their freedom and privacy? "Look, we know it's bad, but we are forced to do this, please do something as citizens to earn you freedom and privacy back"
    • It’s a well known fact that in 9 out of 10 cases, the chosen acronym is the best part of new legislation being brought to the floor.
    • Comment removed based on user account deletion
      • Re: (Score:2, Flamebait)

        by buravirgil ( 137856 )

        Citizen credit score is working well for China. The more you do for the state, the better your credit score is. Or rather, that's how it's sold. In reality, you must make working for the state free just to keep your head above water. It's bell curve grading.

        ~DigiShaman

        What do you know of normative and criterion-based measures? What you know of policy defending its responsbility to govern a multi-cultural domain versus military policy rationalizing the maintenance of preferred margins of profit across the globe is poorly supported with a rhetorical usage of "In reality,".

        Why engage in discourse by terms few have practical knowledge to assert...what have you asserted? Reality? The queue for that false flag is as long as your personal experience informs you.

    • Yes! 100%
      Does anyone remember "The First Crypto War"?
      SB66 comes to mind. We've been there and it still needs doing, again, and again...

    • by fred911 ( 83970 )

      "coded message to US citizens with regards to their freedom and privacy?'

      No it's more like, we already do warrantless surveillance, it's just that it's a little harder and more expensive for us to prove that parallel construction due to information gained from the warrantless surveillance would have been obtained otherwise if we weren't such fat fucks stuffing our faces with doughnuts and actually did our job (and followed the intent of law).

  • This needs to be called the...

    Allow Hackers and Criminal to spy on you so that the US Government can spy on you too Act.

    The ONLY thing that keeps encryption even "partially" secure is because "golden keys" can be kept secure through obscurity. After this passes... that obscurity goes away and every key the Government has will go straight to the fucking hackers!

    Security will become just like the TSA... mostly pointless and a waste of fucking time!

    • Re:Rename It! (Score:4, Informative)

      by ShanghaiBill ( 739463 ) on Thursday April 09, 2020 @05:26PM (#59926424)

      This needs to be called the...

      Allow Hackers and Criminal to spy on you so that the US Government can spy on you too Act.

      Another good name would be the "Ship American Tech Jobs Overseas Act".

      Weakening encryption is a stupid idea in more ways than can be counted. Did we learn nothing from the encryption embargo debacle of the 1990s?

  • by smoot123 ( 1027084 ) on Thursday April 09, 2020 @05:17PM (#59926394)

    When I think about section 230, I think of it as an admission that a provider really has no practical way to moderate vast floods of content so we're not going to hold them accountable for something beyond their control. Law enforcement has to put on their big boy pants and go after the individual perpetrators.

    End-to-end encryption makes that reality even more evident. Not only is the scale of communication too great to allow any practical moderation, now the raw data isn't even available. Thus, section 230 is even more applicable.

    • by AmiMoJo ( 196126 )

      Problem is they have counter examples like Skype. Skype used to be end-to-end but when Microsoft bought it they changed it so that it uses their servers to set up the crypto on the link, conveniently allowing anyone who asks Microsoft nicely to spy on your calls.

      It blew up all the arguments about it being impractical due to limited resources or bandwidth.

      • It blew up all the arguments about it being impractical due to limited resources or bandwidth.

        Interesting point. Let me be clearer what I'm saying.

        Microsoft or whoever certainly has the capacity to decrypt and re-encrypt the streams. Proof by demonstration they could tap a subset of calls in flight.

        What I'm saying is Microsoft doesn't have the need, capacity, or duty to monitor all conversations in real time for illegal content. Even further, they have no ability to censor those conversations. Just like they don't have the ability or need to moderate text-based online conversations, which is basica

        • by amorsen ( 7485 )

          I find it hard to believe they could monitor everything but it's been rumored for ages that they can.

          They don't generally care about monitoring everything. Storing everything works just fine. Then sifting out the interesting stuff afterwards.

  • by Sebby ( 238625 ) on Thursday April 09, 2020 @05:18PM (#59926400)

    "Let's have an adult discussion about this..."

    That's what people at the FBI, NSA, etc. that want encryption gone tell tech companies, yet they're the ones that call out "won't someone please think of the children!!!" as a #lame counterargument anytime they get any type of pushback.

    Frankly, the moment they use that as their reasoning for any arguments they're trying to make, they lose all credibility.

    • by JaredOfEuropa ( 526365 ) on Thursday April 09, 2020 @05:33PM (#59926446) Journal
      In any discussion about online liberties, children are just very small Godwins.
    • Comment removed based on user account deletion
      • by Sebby ( 238625 )

        I can assure you, the FBI and NSA lost all credibility a long time ago!

        True, you cannot lose something you no longer have (or never had to start with).

    • Frankly, the moment they use that as their reasoning for any arguments they're trying to make, they lose all credibility.

      They lose all credibility, but somehow thy gain all the votes.

      • by Sebby ( 238625 )

        They lose all credibility, but somehow thy gain all the votes.

        Voter suppression.

        Gerrymandering.

    • by BeerFartMoron ( 624900 ) on Thursday April 09, 2020 @05:52PM (#59926490)

      Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

      As an adult, it really is that simple. All of us have a right to speak freely, even if we want to do so in English, Spanish, Pig Latin, ROT-13, or AES-256.

      • by Kjella ( 173770 )

        "Congress shall make no law (...) abridging the freedom of speech"

        As an adult, it really is that simple. All of us have a right to speak freely, even if we want to do so in English, Spanish, Pig Latin, ROT-13, or AES-256.

        But with a warrant they can wiretap your phone calls. It's not something the phone company can do if they please, it's a service they're compelled to provide. And "it's the customer's telephone" has never been a valid excuse for them. This is the same in the 21st century, you provide a chat app? Then you will also build in wiretap capability. You can throw around words like unconstitutional but I very strongly doubt the Supreme Court would agree. In fact the prosecutors looked very hard for a way to hang Ph

      • Comment removed based on user account deletion
    • I don't know about the FBI, but the NSA most definitely does not want encryption gone. They answer to Congress and the president. But the NSA absolutely recognizes that it's the global dominant force in breaking encryption. Encryption is a bigger impediment to all of their rivals than it is to the NSA. And the NSA has a mandate to secure our communications.

      • by Sebby ( 238625 )

        I don't know about the FBI, but the NSA most definitely does not want encryption gone.

        You're right; the NSA doesn't want it gone - they want it weakened so that they're able to break in, but not their FBI buddies.

  • ignored and violated as often as possible. Congress and the White house both have abandoned the Bill of Rights and the rest of the Constitution decades ago in their unholy pursuit of total power.

    Their KGB and Stasi agencies ( FBI, NSA, DHS, etc) are licking their chops at a bill like this...

  • The goal?? (Score:5, Informative)

    by fred911 ( 83970 ) on Thursday April 09, 2020 @05:32PM (#59926436) Journal

    "the goal of the legislation, which has bipartisan support, is to stamp out online child exploitation"

    No, the real goal is to make law enforcement easier, to allow them the option of making private communication transparent.

    Whereas, Signal provides an easy method for people to utilize math, even if they are forced to stop marketing their product stateside, we have others able to vet applications that employ the same math to assure communication stays private (or makes decryption too expensive or too stale once decrypted).

    What they really should be doing is grow a pair and read how those before them dealt with this issue https://en.wikipedia.org/wiki/... [wikipedia.org] instead of whining like bitches.

  • by Kitkoan ( 1719118 ) on Thursday April 09, 2020 @05:36PM (#59926456)

    This is a privacy concerning app???....

    Considering it won't work on Android until it has full permission to root through all your contacts, I wouldn't call this a privacy focused company.....

    • Re: Wait....... (Score:3, Interesting)

      by BAReFO0t ( 6240524 )

      Signal does not require root, but nice of you to choose that word anyway.

      And, had you actually looked into it, then you'd know what it uses that contacts list for. (The one you probably synced with Google or Apple anyway.) You can even look at the source code!

      (It uses it, to 1. display the names and such when you get a message from a contact. And 2. to create hashes to ask the server if those can recieve messages, so it can determine who it can send a Signal message, and who can only receive insecure texts,

      • Root was used to mean search. And this is literally the only messaging app that needs this. Facebook messenger doesn't even need that much permission. Its really sad and telling when Facebook of all messaging software needs less permissions than this
        • And this is literally the only messaging app that needs this.

          Facebook isn't equivalent... you are either messaging existing friends within Facebook or people from their post. You do have the option to upload contacts to Facebook to add friends that way, which is then part of your account, which FB messenger uses. Which is a roundabout way of saying that FB Messenger wouldn't mind if you uploaded your contacts to Facebook.

          Whatsapp.... it asks for your contacts
          Telegram.... same
          Snapchat.... oh yeah
          Nimses... these guys too
          LinkedIn.....of course (to be fair, not specifica

          • Plot twist: All of them ask for access to your contacts, but only Signal will refuse to work if not granted access. Every single messaging program you listed will work without the app having access to your contacts. Only Signal refuses to work until they have that access. Just because you might have accepted to each one to have access to your contact info, doesn't mean everyone is quick to offer up that information to whomever asks
            • Erm, you can refuse to give Signal access to your contacts and it will still work. I just tried it.

              You will see phone numbers instead of names, and starting a new conversation is a bit tricky, just like when you don't give WhatsApp your contacts. But it works.

              Facebook Messenger doesn't need your phone contacts because it operates on the basis of Facebook contacts and Facebook already has all your Facebook contacts.

        • You're really thick aren't you? Stick to Facebook, where they don't need your permissions because they've already slurped up all your data and have backdoor access in their closed app.

  • Notable fact (Score:5, Insightful)

    by sjames ( 1099 ) on Thursday April 09, 2020 @05:39PM (#59926462) Homepage Journal

    One of the sponsors of the bill recently blasted Zoom for NOT having end-to-end encryption. As if he wasn't the sponsor of a bill that would all but outlaw it.

    Also notable, https is end to end encryption, so no more banking on the net for Americans. I guess it's a good thing it didn't pass before COVID came to town or we'd REALLY be isolated now and nobody would be teleworking. Speaking of thinking of the children, there wouldn't be any online learning happening either. Ironically in part because it would be too easy for creeps to intercept the video streams and perve on the kids.

    • Re:Notable fact (Score:5, Informative)

      by Octorian ( 14086 ) on Thursday April 09, 2020 @05:50PM (#59926484) Homepage

      https is not end-to-end encryption, as its commonly described. Its transport encryption, a.k.a. client-to-server encryption.

      End-to-end encryption means that content is encrypted from one client endpoint to another, and any intermediary servers are unable to decrypt/read the contents.

      • Re:Notable fact (Score:4, Interesting)

        by localroger ( 258128 ) on Thursday April 09, 2020 @06:36PM (#59926554) Homepage
        If one of the ends IS the HTTPS server, which could very well be running on someone's laptop if they have a fixed IP address or other way to route the traffic to them, then it is end-to-end. After EARN IT I would expect that to be the next target. The US government has never liked strong encryption for anyone but itself.
        • by fred911 ( 83970 )

          "then it is end-to-end"

          Not quite, you have no way of disqualifying the certificate server's ring of trust, less you deny all SSL sockets from the associated cert. How many certificate servers have been compromised?

          End to end is significantly different.

        • by amorsen ( 7485 )

          EARN IT doesn't apply when TWO people are communicating without help. They can do whatevery they want.

          EARN IT applies when a third party is involved, providing the way that the two people communicate. EARN IT says that the third party has to be able to comply with a wiretap warrant. Signal can't do that without putting spyware into the clients.

    • The banking world has very strong "Know Your Customer" regulations, so that's a bad choice for comparison.

      • Re: Notable fact (Score:4, Interesting)

        by sjames ( 1099 ) on Friday April 10, 2020 @01:39AM (#59927436) Homepage Journal

        Consider how the DOJ likes to take a mile when given an inch. The bill is aimed at things like WhatsApp and Signal where the intermediary can't currently read the messages, but how long will it be before they come back declaring the ISP to be non-compliant because it can't read your https traffic? Of course their 'target' would be naughty web sites, but online banking would be collateral damage.

        And there remains the fact that kids talk with each other using end to end encryption. Breaking that actually puts them at greater risk.

        Other open questions, if I use GPG on an email and send it off, does it count as end to end encryption? Probably yes since the intermediary mail serbers can't read the body of the email. That could be a problem if I'm talking to a priest or a lawyer (or, for that matter, my banker).

  • ... offers end-to-end encryption ...

    Don't worry, Zoom Video Communications is perfectly positioned to provide the universal censorship demanded by the US government. Or maybe not, since its subscribers have recently learnt the cost of half-arsed 'security'.

    ... a small nonprofit like Signal ...

    The government doesn't want to spend money chasing actual criminals, which is good news for Americans. They can still access Signal servers via an international VPN.

  • by ItsJustAPseudonym ( 1259172 ) on Thursday April 09, 2020 @06:20PM (#59926530)
    Never Expect Congress To Advocate Rights
  • by FeelGood314 ( 2516288 ) on Thursday April 09, 2020 @07:11PM (#59926610)
    So the US senate just decided not use zoom because it lacked end to end encryption at the same time the house is trying to pass a law making all apps act like zoom.
  • Vote out anyone who votes for this bullshit. Sadly I'm afraid this will pass based on how Sesta and Fosta performed. Won't someone think off the kids bullshit needs to stop. Won't someone think about the privacy of everybody else?!?!

    "Those willing to sacrifice liberty for security deserve neither" - Thomas Jefferson

  • Doesn't iMessage have end-to-end encryption too?

    With tech companies changing their structure to work online, it will take even less bullshit than usual for them to simply establish themselves in another country.

    Can you imagine Apple's headquarters moving to British Columbia, for example?

  • We can still go to https://signal.sometld/ [signal.sometld], and install Signal from there. Oh, wait, the TLS CAs are government lapdogs!

  • .... end to end encryption, exactly?

    Given that an end-to-end encrypted stream will just look like a stream of bits which would be indistinguishable some some proprietary data format that the person eavesdropping doesn't happen know about.

    Conceptually, this is no different than outlawing speaking in public in a language that other person who might overhear it may not understand. To someone who doesn't know the language or its structure, it's going to sound like gibberish.

    • Isn't that part of what pattern analysis and entropy weakness/failure in encryption winds up exposing?

      Even unknown proprietary data can be identified as such by a lack of entropy and patterns, especially given the application of statistical analysis/machine learning.

      Then there's the idea that for compatibility/usability, encrypted connections often use known channels/ports to communicate.

      I think what you're describing is more like some combination of stenography and encryption.

  • because it's used to carry private voice conversations between people involved in illegal acts.

  • ... Signal is a separate plane of communication thanks to its privacy technologies.

    Signal EOL support for the older 4s iPhone. I used Signal to communicate with an acquaintance whose communications were State interest in-a-foreign country. It parlayed into a safety zone for personal life which provided respite in the face of hostile political realities.

    Nothing replaced the safe space Signal carved out to communicate. Not Facetime, email nor WhatsApp. Exchanges thereafter took on the all too familiar gloss

  • Who would be able to detail a more precise comparison than me here?

    I use Signal among other to communicate with people who are admin in a serious company when they are away. In case Signal use is prevented in a country they are in I also installed Jami, https://jami.net/ [jami.net] , which to me seems
    - as open source as Signal,
    - more difficult to install,
    - providing more features (e. g. also videos on Linux, etc.),
    - no need to exchange phone #s out (although I think Signal can avoid this),
    - and no need for a central p

"Never face facts; if you do, you'll never get up in the morning." -- Marlo Thomas

Working...