Cybersecurity & Tech

How the U.K. and the Senate Judiciary Committee Are Being Dangerously Foolish About Cryptography

Susan Landau
Tuesday, March 1, 2022, 9:01 AM

In an attempt to prevent the online circulation of child sexual abuse material, a reintroduced Senate bill runs the risk of failing to combat the problem while simultaneously decreasing internet security.

Sen. Lindsey Graham, who introduced the EARN IT Act, at a Senate Judiciary hearing in 2019. (Official photo by U.S. Customs and Border Protection)

Published by The Lawfare Institute
in Cooperation With
Brookings

The story would be really funny—David Frost-biting-humor funny—if it weren’t true. Rolling Stone reported last month that the U.K. government hired M&C Saatchi Group, a U.K. advertising firm to bring to public attention “our concerns about the impact end-to-end encryption would have on our ability to keep children safe.” The government plan includes spending £534,000 ($725,000). Such money, while not much in the U.K. national budget, could nonetheless be used for other purposes to much better provide children with support.

The Home Office, which has long opposed the broad public use of end-to-end encryption (E2EE), continues to look at the issue narrowly. Its campaign fails to take into account the U.K. government’s own Information Commissioner’s Office (ICO)’s observation that “strongly encrypting communications strengthens online safety for children by reducing their exposure to threats such as blackmail.” In 2021, the ICO issued a report analyzing the use of end-to-end encryption, noting:

Positioning E2EE and online safety as being in inevitable opposition is a false dichotomy. Instead what is needed is an approach that seeks to reconcile the different demands whilst recognising the need to create a safe online ecosystem for all users. The challenge is to create tailored and proportionate responses to the issues that manifest without unduly interfering with the wider benefits that E2EE provides or the rights and freedoms of wider society. It is vital that one form of online safety is not traded off for another.

Exactly. But the Home Office is assuming that most people won’t know the ins and outs of end-to-end encryption and will be swayed by the understandably emotional issue of keeping children safe. This means forgoing a chance to move to a careful, thoughtful discussion of the trade-offs involved in securing a society highly dependent on digitized communications and stored data. 

And it’s not only the U.K. Home Office that’s wearing such blinders. Last week the Senate Judiciary Committee unanimously voted out of committee a bill, Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, that would decrease public safety and national security in the name of “protecting children.” It’s seeking to do so through Section 230 of the Communications Decency Act, a critical section of this law that generally shields websites and platforms from liability for third-party content, such as users’ posts. That legal protection provided to hosts and websites has enabled the spectacular growth of many of the internet companies we use daily.

But while the committee vote on the bill was unanimous, a number of senators expressed concerns about the bill. Sixty well-known technology organizations and civil liberties groups, including LGBQT rights organizations, had written a letter opposing the EARN IT Act. The letter was entered into the record by Sen. Jon Ossoff. Sen. Mike Lee was disturbed that the current version of the EARN IT Act effectively mandates “open-ended policing [and] the accessing and reporting of private and protected data.” Sen. Cory Booker expressed interest in action to address the “legitimate” civil-society concerns before the bill reached a Senate vote. 

The EARN IT Act would create a National Commission on Online Child Sexual Exploitation Prevention tasked with recommending “best practices for providers of interactive computer services regarding the prevention of online child exploitation conduct.” These practices would apply to any computing service that hosts, stores, displays or retrieves information and is accessible by consumers across the internet. Thus the commission’s practices would apply to the internet giants, the gaming companies and essentially any internet company providing service to the public. And while “best practices” sound innocuous, because of the threat of liability that would be created by the EARN IT Act, these recommendations could become de facto requirements. Rather than lose their Section 230 protections., platforms would, in essence, be forced to comply with the recommendations.

Thus the likely result of the bill would be that any content hosted online—any content at all—is scanned. But the only way to do so would prevent the use of end-to-end encryption. Thus the EARN IT Act, while purporting to be about child safety, functions as a foot in the door for dismantling end-to-end encryption. And that makes it both extremely foolish and extremely dangerous.

The Crypto Wars are now several decades old. For many years, law enforcement positioned the battles as over privacy versus security. But as observed in a 2019 Carnegie Endowment for International Peace report that I helped put together, titled “Moving the Encryption Policy Debate Forward,” “Security in the context of the encryption debate consists of multiple aspects including national security, public safety, cybersecurity and privacy, and security from hostile or oppressive state actors.” Recently law enforcement has shifted its arguments against widespread availability of end-to-end encryption from the threats posed by terrorists to those posed to children’s safety. Law enforcement’s argument is often that purveyors of child sexual abuse material (CSAM) would encrypt more of their communications, impeding investigations.

Without doubt, CSAM is a serious problem. But to say that combating the problem requires getting rid of end-to-end encryption is to ignore the subtleties of what is, in fact, a complex set of differing crimes. CSAM involves both real-time videos of child abuse and sharing of static, sometimes decades-old, photos. When it involves cases that happen abroad, prosecution rates are often very low even when tech companies supply digital evidence. India, for example, saw convictions for CSAM possession in only 129 cases from 2014 to 2019, a number remarkably low given that the country received nearly 2 million tech company reports of CSAM in 2019. Thus accessing encrypted data may not be the most serious block in combating this crime. Indeed, a 2020 Unicef report on the broader issue of  child exploitation points to many different factors allowing such abuse to occur; these include societal norms granting adults control over children and supporting male sexual entitlement and sexual violence, laws that blame victims while exonerating perpetrators, and environments in which adults are placed in positions of trust but have unmonitored control over children and adolescents. 

Yet the Senate Judiciary Committee bill uses a broad-brush approach to the problem, one that fails to take into account the international aspect of the criminal activity, the problems of conducting such international investigations (including the lack of prosecution of perpetrators abroad, which can be due to the lack of laws criminalizing the actions), and potential remedies that extend well beyond law enforcement investigative capabilities. 

Many major internet companies have already built systems for reporting CSAM activity on their platforms. It’s unclear what the EARN IT Act’s added value would be. A previous revision to Section 230, the Fight Online Sex Trafficking Act (FOSTA), appears to have complicated law enforcement investigations while making little difference to prosecutions. According to a 2021 Government Accountability Office report, the traffickers moved their platforms abroad in response to FOSTA, making investigations more difficult for U.S. law enforcement. If the EARN IT Act were to become law, it is likely that the criminals would adapt and go further underground, impeding law enforcement investigations. It would not be surprising if the EARN IT Act ended up having minimal impact on CSAM. Meanwhile the bill would likely create serious security risks if enacted. 

As former FBI General Counsel Jim Baker explained in 2019, “[T]he digital ecosystem’s high degree of vulnerability to a range of malicious cyber actors is an existential threat to society.” The threat actors include powerful nation-states such as China. Day-to-day communications—tax returns, orders for children’s birthday presents, international business transactions, and control of Internet of Thing devices and critical infrastructure—travel over insecure networks, including those built by Huawei. The national-security threats posed by Huawei and other insecure aspects of worldwide communication networks necessitate the use of end-to-end encryption, which is, in fact, the best tool for protecting the confidentiality and integrity of communications that transit insecure networks. 

The U.S. government is increasingly outsourcing information technology functions. In doing so, it is also moving to a “zero trust” network model that grants access to certain functions not because of being within a particular network, but because of credentials that authorize that access. A recent Office of Management and Budget memorandum regarding “zero trust cybersecurity principles” recommends wide use of encryption for communications. That argues for the default being end-to-end encryption across commercial systems. But the EARN IT Act would make this difficult.

And it is far from clear that the EARN IT Act would benefit children. As noted above, the U.K. ICO pointed out that children’s safety is often protected by E2EE. First of all, end-to-end encryption provides safety for LGBQT youth, who risk being outed to their parents. E2EE also protects victims of domestic abuse, who need to secure their devices and their communications. The protection provided to domestic abuse victims by end-to-end encryption also often includes children with abused or abusive parents.

E2EE also protects many other buckets of users. In a world in which securing communication bits is equivalent to securing money, ideas, and business and personal information, end-to-end encryption is integral to public safety and national security. Furthermore, end-to-end encryption is essential to journalists, political organizers and human rights workers. While the Carnegie report focused on the issue of law enforcement access to encrypted mobile devices, the principles it provided for evaluating potential technical solutions to “exceptional access” (access for law enforcement under warrant, but security against other intruders) apply equally to communications access. The EARN IT Act’s proposed remedy violates two principles that the 2019 Carnegie report recommended regarding law enforcement access to encrypted data on mobile phones: “specificity”—that there be no practical way to repurpose a technique for mass surveillance—and “focus”—the capability does not appreciably decrease cybersecurity for the public at large, only for users subject to legitimate law enforcement access.

In the 2016 showdown between Apple and FBI over the locked San Bernardino iPhone, a significant portion of the public understood that doing away with security protections to enable law enforcement investigations invited other intruders—including “hackers, other government agencies, foreign spies, cyber criminals, and terrorists”—in to hack devices. It’s unfortunate and, in fact, dangerous that the Senate Judiciary Committee members and the U.K. Home Office don’t yet fully appreciate that. With an approach that may or may not simplify the investigation of CSAM, lawmakers are seriously risking making all of us, children and adults alike, much less secure.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare