What a time to be alive.
All over the world, nations are shutting down all but the most essential services in the name of slowing the spread of the Sars-Covid 19 virus. And as of this writing, we are nowhere even NEAR anything constituting a middle point of this pandemic. The light at the end of this tunnel of darkness is still far too distant to even detect.
But that doesn’t mean that officials in the increasingly authoritarian mirroring Republican party are not hard at work, fighting for the rights of Americans. That is, fighting for the rights of Americans to never harbour any digital secrets ever again.
It all stems from the idiotically named EARN IT bill. The Eliminating Abusive and Rampant Neglect of Interactive Technologies act is all about saving the children, say the politicians. However, anyone with a keen ear knows what lies between the lines in this act. Ever since the whole of the internet begun adopting increasingly strong encryption as standard procedure, authorities at all levels of government have increasingly become infuriated with hitting this brick wall in various investigations. Be it smartphones, content in cloud servers, or web traffic that neither ISP nor anyone else can comprehend, encrypted data has made all levels of surveillance much more difficult than it used to be.
For everyday users, an increasingly private internet meant more security and privacy in pretty much all contexts. And from the point of view of the dissident or whistleblower, there has never been a better time. Though there is no such thing as 100% untraceability, for many situations, current technology has brought us pretty close.
I explored this topic in some depth last year. That piece concluded with me speculating that we may well end up ending up with weaker encryption schemes on account of government crackdowns. Written with that inevitability in mind, I tried to sort out what the options were for maintaining some semblance of privacy. For example, the drastic privacy difference between decrypting individual-app generated traffic on the fly, and an OS backdoor.
At the time, I didn’t think the threat was all that serious, considering the enormity of the task. Any governing official that went public with a plan (or even the proposition) of eliminating encryption would have a short career. And even if such laws were passed AND ISP’s were mandated to filter all blind traffic within their networks, the ensuing chaos would break the economy.
Canadian ISP Rogers learned this the hard way back in 2007 when they tried to rein in encrypted BitTorrent transfers by slowing down all encrypted traffic. The result was less filesharing . . . and a whole lot of legitimate users of email, online banking and other sensitive services angered at being caught in the dragnet.
Last October, this seemed like a problem that was far away into the future. Even in an era where we’re saying President Trump, this is still a step too far.
However, one could not predict that a novel coronavirus would take the world by storm back then (well, aside from these guys). Just as one couldn’t predict that a virus that had never been seen before would sweep the world, neither could they predict that politicians would attempt to use the blanket virus coverage to pass legislation mandating the breaking of encryption.
It all comes down to section 230 of the Communications Decency Act of 1996.
Section 230 says that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider” (47 U.S.C. § 230). In other words, online intermediaries that host or republish speech are protected against a range of laws that might otherwise be used to hold them legally responsible for what others say and do. The protected intermediaries include not only regular Internet Service Providers (ISPs), but also a range of “interactive computer service providers,” including basically any online service that publishes third-party content. Though there are important exceptions for certain criminal and intellectual property-based claims, CDA 230 creates a broad protection that has allowed innovation and free speech online to flourish.
Whilst current day legislation protects all communications entities and platforms from the illicit actions and behaviours of their end-users, this new law would hinge this protection on the service or platform’s ability to give authorities access to encrypted end-user data. The penalty for not doing so would be nothing short of bankruptcy.
Which seems to only leave 2 options. Accept defeat and cease to exist before the liability costs do it for you. Or roll back the standards such as to appease the spirit of the legislation. Though I may well be incorrect, I anticipate this would mean the adoption of weaker (aka previously broken) standards of cryptography. Though this may not necessarily be permanent (platforms may be working on a secure but warrant friendly workaround), people will be at risk the longer the old standards persist.
This looks like an inevitability if the bill is passed. However, being that has not yet happened, you still have time to act.
For what good it will do, many petitions against the act exist.
However, nothing is more important than exposure. So until John Oliver is back on the air to take this story nationwide, the job is in the hands of everyday Americans.