Multiple bills that threaten encryption are moving through the U.S. Senate and could pose a threat to technology that protects users’ privacy, industry pros say.
These bills include the Lawful Access to Encrypted Data (LAED) Act and the Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act. While the LAED was only recently introduced to the Senate, the EARN IT act has been in the works for months, and has been amended a number of times.
Privacy advocates and product designers say such legislation would also curtail people’s privacy to a huge degree, fundamentally change existing technology and have an impact on everything from messaging and file sharing to privacy coins.
“The government basically would have mass surveillance powers into all of our communications,“ said Zcoin Project Steward Reuben Yap, referring to the LAED Act. “It’s saying, ‘Let’s drop the pretense and let’s just go for it.’ I think it’s really scary. It’s not just about cryptocurrencies as a whole though, it’s really about freedom.”
The bills in question
Sponsored by three Republicans, the LAED Act seeks to end encrypted communications by building in a backdoor for law enforcement to use. The bill lays out a legal framework for law enforcement to access encrypted data with a court order.
The explicit goal of the EARN IT Act is to curb the spread of child exploitative content online, such as child sexual abuse imagery, though its impact could be far wider. In an initial draft, this was going to be done through stripping tech companies of liability protections for the content that is posted on their platforms. These protections currently exist in Section 230 of the Communications Decency Act, which prevents social media companies such as Facebook, Twitter and Reddit from content liability.
Under an earlier draft of the EARN IT Act, companies would lose Section 230 protections if they didn’t follow the recommendations of a federal commission on child exploitative content. This could render companies like WhatsApp, which offers end-to-end encryption, liable for communications on the platform, unless they revoked end-to-end encryption.
“They communicate using virtually unbreakable encryption. Predators’ supposed privacy interests should not outweigh our privacy and security,” said Attorney General William Barr at an event the day the bill was introduced.
Barr has long been a critic of encryption, dating back to his days in the George W. Bush Administration.
The most recent version of the bill gets rid of the commission idea, delegating power to state legislatures to bring lawsuits against companies. It also adds an amendment that explicitly protects encryption. But organizations such as the Electronic Frontier Foundation (EFF), Center for Democracy and Technology and Internet Society claim the bill might respect encryption in name, but not in practice.
Tools like client-side scanning, which could be used to check for child exploitative content, employs software to check files that are being sent against a database of “hashes,” or unique digital fingerprints. If it finds a match to certain kinds of images, they could be blocked, with the recipient notified, or the message could be forwarded to a third party without the user’s knowledge. Organizations such as EFF have said this violates encryption on a fundamental level.
“Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity,” said Republican Sen. Tom Cotton of Arkansas and one of the sponsors (with Sens. Lindsey Graham and Marsha Blackburn) of the LAED, in a public statement.
“Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet.”
Child sexual abuse imagery is proliferating at an alarming rate on the internet. In 2019, tech companies reported nearly 70 million pieces of exploitative child content to authorities. Criminals also often use encrypted communications. EncroChat, a encrypted communications platform, protected criminals and their communications from the police, until law enforcement managed to infiltrate it.
But weakening tools that protect everyone’s privacy may not be the best solution, say privacy advocates.
The impact on tech and cryptocurrency
Yap, of Zcoin, said many kinds of technology could be impacted by the bill’s broad sweep.
The LAED Act is aimed at electronic devices and operating systems. Providers of “remote computing services” are included, presumably to cover cloud computing services like Dropbox.
However, Yap said the bill’s definition of remote computing services can be stretched to include cryptocurrencies as well, because financial transactions are conceivably just another form of electronic communication.
“Given the trajectory of this legislation, people in the cryptocurrency industry, especially those like Zcoin [that] are privacy-focused, will very likely be affected,” said Yap.
“It could mean that ‘providers’ of a privacy cryptocurrency that provided service to more than 1,000,000 users in the US are required to insert a backdoor.”
Ian Dixon, a Nevada-based programmer who previously mined bitcoin and runs a validator on a privacy-oriented blockchain network, said the bills are repackaged attacks on privacy, just with different language.
“It doesn’t really seem possible to enforce, but it would essentially make blockchains illegal in general,” said Dixon. “There is no way for ethereum, bitcoin and other cryptocurrencies to comply.”
Matt Hill, the co-founder of Start9 Labs in Colorado, which develops decentralized internet tech, says he sees both pieces of legislation as falling into the same bucket, even if they are different in flavor.
“The ultimate meaning is the same, which is that if you are a service provider of privacy or encryption, you are going to be subject to the whims of politics,” said Hill.
“We hope politicians and our political system stays rational, and upholds individual rights to privacy, but if they don’t you are going to be subjected to force, whether it’s building a backdoor or handing over user data.”
Hill said that even if these bills don’t pass, the very fact they’re sitting on the table and being taken seriously should be enough of a warning sign for us to start thinking outside the political box.
“Privacy is not safe in their hands,” said Hill. “So we have to protect privacy with technology, as opposed to with laws.”
This is privacy-by-design tech, the kind that Start9 Labs develops, including a server that lets users run their own private networks and cut out middlemen who would otherwise have access to their data.
Start9 Lab’s tech is built such that it can’t hand over any user data, even if legally compelled to, because it doesn’t have it. It builds the tech but doesn’t run the services on it. Given its products are open source, they can continue to run and protect user privacy, even if the company is shut down.
Encrypted communications are regularly used by people such as dissidents and journalists, and are often a means of protecting sources or organizing in authoritarian countries. There is a risk that if the U.S., which has long held itself up as an example of freedom and democracy, moves to eliminate end-to-end encryption, other countries would also follow suit, and use such legislation to crack down on dissent.
Finally, backdoors inevitably get used by bad guys, not just law enforcement.
“There’s no such thing as a backdoor just for good guys,” said Daisy Soderberg-Rivkin, a fellow focusing on children and technology at the R Street Institute, a policy think tank in Washington, D.C. “This opens up users’ information to a whole mess of bad actors.”
UPDATE: The section about the EARN IT Act’s potential impact on services like WhatsApp has been updated.