I think you’re too focused on the technical and legal issues from a subject matter expert’s point of view, and not the human impact. It would be better to focus more on how the bill makes the...
I think you’re too focused on the technical and legal issues from a subject matter expert’s point of view, and not the human impact. It would be better to focus more on how the bill makes the average American significantly less safe— some examples are breaking into online banking sessions, getting blackmail material or sensitive financial information from cloud storage services, or the risk to the personal data of members of the intelligence community with how foreign intelligence services will capitalize— and how the unintended consequences of the bill defeat (almost) every single one of its goals.*
If you’re talking to an older person, you might also have to explain how many services previously managed via mail are now done online, and how easy it is to detect mail theft compared to how hard it is to realize that someone has downloaded weakly encrypted data that they can now not only crack at their leisure, but also crack it in a reasonable time frame.
The dark web angle is good, but you need to assume that your congresscritter thinks that the Internet is a series of tubes. Instead of explicitly invoking the dark web, you could explain just how easy it is to set up a messaging service or forum on a server without a DNS record (analogous to an unlisted phone number) and just not tell the government that it exists. I’d also recommend explaining that if the law passes, the only people using the good encryption would be criminals and how the government would be just as incapable of breaking it then as they are now. If your congresscritter is a republican, a “only bad guys would have guns” analogy would be useful, it’s just that now only the bad guys’ encrypted data is uncrackable due to their general desire to not be caught, and wasn’t the whole point to make bad guys’ encrypted data crackable?
Another problem is proliferation. Good encryption is everywhere, available in textbooks (and not just new textbooks), and has been taught to almost every computer science student that manages to get a half-decent education. This is another argument that a gun analogy would fit.
Again, this all hinges on successfully arguing that EARN IT unavoidably means encryption backdoors.
You could end with statements from encryption experts on how backdoors ultimately wreck any confidence in the encryption, and how math does not bow to the dictates of legislation.
One nitpick:
it will actively harm encryption
This phrase isn’t helpful. I can’t quite put the words together to explain why, but it needs to go.
* the one goal it succeeds in achieving is making it easier to find illicit data hosted on third-party services. But of course, this will just drive criminals to become technically savvy enough to use good encryption, which as stated above, is very easy to get ahold of.
Now that I’ve written that, I’m starting to think that this might not be the case. But if backdoors aren’t explicitly excluded, it may end up being enforced that way. I’ll make a discussion topic...
Again, this all hinges on successfully arguing that EARN IT unavoidably means encryption backdoors.
Now that I’ve written that, I’m starting to think that this might not be the case. But if backdoors aren’t explicitly excluded, it may end up being enforced that way. I’ll make a discussion topic in the morning.
Now if only the damn Wasatch Fault Line would let me sleep.
One argument you might mention is that EARN IT burdens Internet service providers and other tech companies with legal duties they can't comply with (yet?) and stay in business. The proposed...
One argument you might mention is that EARN IT burdens Internet service providers and other tech companies with legal duties they can't comply with (yet?) and stay in business.
The proposed Article 230 changes make providers liable for illegal material in transit or hosted with their services. Doing so forces them to try developing in-transit scanning technologies which may never work, and to take responsibility for law enforcement duties that the government is only permitted to exercise with a warrant.
It's a terrible idea that could drive citizens and businesses away from using U.S.-regulated services wherever possible. This damages American competitiveness, and constitutes a potential national security threat as we can't protect data that isn't governed here.
Schneier mentions a couple of sources, but the meat of the argument is here:
I’m going to be a bit more blunt about this than I usually would be, but only because I think the following statement is accurate. The real goal here is to make it financially impossible for providers to deploy encryption.
End-to-end encryption systems make [child pornography] scanning more challenging: this is because photo scanning systems are essentially a form of mass surveillance — one that’s deployed for a good cause — and end-to-end encryption is explicitly designed to prevent mass surveillance. So photo scanning while also allowing encryption is a fundamentally hard problem, one that providers don’t yet know how to solve.
All of this brings us to EARN IT. The new bill, out of Lindsey Graham’s Judiciary committee, is designed to force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely. And given that we don’t yet know how to solve the problem — and the techniques to do it are basically at the research stage of R&D — it’s likely that “stop using encryption” is really the preferred goal.
EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct “best practices” for scanning their systems for CSAM.
Since there are no “best practices” in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.
So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.
The whole Cryptography Engineering blog post is worth reading - it's a brief, lucid, accessible argument.
Also, there's a subtle First Amendment issue at stake - the criminalization of the use of math. As /u/just_a_salmon mentioned, cryptographic methods are published everywhere, the tools are nearly ubiquitous. Even if effective end-to-end encryption supported by providers is abolished, would-be criminals can still encrypt their files - the "if guns are criminalized, only criminals will have guns" argument, except with uncontrollable strings of equations and algorithms.
Lawfare attempts to argue that the proposed composition of the Senate-sponsored committee gives adequate voice to all stakeholders. As the above blog post mentions, the committee may have zero experts on security. By the numbers, it's easy for the Attorney General, legal experts and legislators to overrule the technical, civil society, and industry constituents. In effect, this is voting on the value of π - favoring a convenient law without regard to reality.
I don't have specific suggestions for ways you can incorporate this information in your letter. Personally, I appreciate that you're taking thought, time, and effort. To be totally cynical, your representative is probably already hearing from lobbyists and party whips about how to vote. It's likely that your message won't be read at all, just added to a tally of citizen voices for/against.
I'm not American, so can't really give any constructive criticism on anything you have said related to the bill itself, but your letter and argument against it reads very well IMO. So the only...
I'm not American, so can't really give any constructive criticism on anything you have said related to the bill itself, but your letter and argument against it reads very well IMO. So the only thing I can really think of to suggest would be to hand write the letter instead of just printing it on your computer or emailing it, as supposedly that makes it far more likely to actually be read once it arrives (by an intern at the very least, anyways).
Here is my representative's form letter response to my own advocacy against the bill.
Here is my representative's form letter response to my own advocacy against the bill.
Thank you for contacting me about the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act.
We have a collective responsibility to protect our children from harm. This includes ensuring that they are not sexually exploited on the internet and other social media platforms. Though we have strong laws on the books for those who commit sex crimes against children, more can be done to ensure that our children are protected. Collectively, we should do everything that we can to ensure that individuals that sexually exploit the most vulnerable in our society are held accountable for their actions. That includes technology companies, which have a responsibility to protect children by screening for and removing abusive content from their websites and reporting individuals who violate the law on their platforms to law enforcement.
The EARN IT Act would create incentives for companies to earn liability protection for violations of laws related to online child sexual abuse material and ensure tech companies are using best practices to prevent child exploitation. As a parent and grandparent, I take seriously the responsibility of safeguarding all children. Nothing is more tragic than the victimization of a child, and protecting our children from sexual crimes will always be a top priority for me.
Should any legislation dealing with child pornography on the internet or child abuse come before the Senate, I will keep your thoughts in mind.
I think you’re too focused on the technical and legal issues from a subject matter expert’s point of view, and not the human impact. It would be better to focus more on how the bill makes the average American significantly less safe— some examples are breaking into online banking sessions, getting blackmail material or sensitive financial information from cloud storage services, or the risk to the personal data of members of the intelligence community with how foreign intelligence services will capitalize— and how the unintended consequences of the bill defeat (almost) every single one of its goals.*
If you’re talking to an older person, you might also have to explain how many services previously managed via mail are now done online, and how easy it is to detect mail theft compared to how hard it is to realize that someone has downloaded weakly encrypted data that they can now not only crack at their leisure, but also crack it in a reasonable time frame.
The dark web angle is good, but you need to assume that your congresscritter thinks that the Internet is a series of tubes. Instead of explicitly invoking the dark web, you could explain just how easy it is to set up a messaging service or forum on a server without a DNS record (analogous to an unlisted phone number) and just not tell the government that it exists. I’d also recommend explaining that if the law passes, the only people using the good encryption would be criminals and how the government would be just as incapable of breaking it then as they are now. If your congresscritter is a republican, a “only bad guys would have guns” analogy would be useful, it’s just that now only the bad guys’ encrypted data is uncrackable due to their general desire to not be caught, and wasn’t the whole point to make bad guys’ encrypted data crackable?
Another problem is proliferation. Good encryption is everywhere, available in textbooks (and not just new textbooks), and has been taught to almost every computer science student that manages to get a half-decent education. This is another argument that a gun analogy would fit.
Again, this all hinges on successfully arguing that EARN IT unavoidably means encryption backdoors.
You could end with statements from encryption experts on how backdoors ultimately wreck any confidence in the encryption, and how math does not bow to the dictates of legislation.
One nitpick:
This phrase isn’t helpful. I can’t quite put the words together to explain why, but it needs to go.
* the one goal it succeeds in achieving is making it easier to find illicit data hosted on third-party services. But of course, this will just drive criminals to become technically savvy enough to use good encryption, which as stated above, is very easy to get ahold of.
Now that I’ve written that, I’m starting to think that this might not be the case. But if backdoors aren’t explicitly excluded, it may end up being enforced that way. I’ll make a discussion topic in the morning.
Now if only the damn Wasatch Fault Line would let me sleep.
One argument you might mention is that EARN IT burdens Internet service providers and other tech companies with legal duties they can't comply with (yet?) and stay in business.
The proposed Article 230 changes make providers liable for illegal material in transit or hosted with their services. Doing so forces them to try developing in-transit scanning technologies which may never work, and to take responsibility for law enforcement duties that the government is only permitted to exercise with a warrant.
It's a terrible idea that could drive citizens and businesses away from using U.S.-regulated services wherever possible. This damages American competitiveness, and constitutes a potential national security threat as we can't protect data that isn't governed here.
Schneier mentions a couple of sources, but the meat of the argument is here:
The whole Cryptography Engineering blog post is worth reading - it's a brief, lucid, accessible argument.
Also, there's a subtle First Amendment issue at stake - the criminalization of the use of math. As /u/just_a_salmon mentioned, cryptographic methods are published everywhere, the tools are nearly ubiquitous. Even if effective end-to-end encryption supported by providers is abolished, would-be criminals can still encrypt their files - the "if guns are criminalized, only criminals will have guns" argument, except with uncontrollable strings of equations and algorithms.
Lawfare attempts to argue that the proposed composition of the Senate-sponsored committee gives adequate voice to all stakeholders. As the above blog post mentions, the committee may have zero experts on security. By the numbers, it's easy for the Attorney General, legal experts and legislators to overrule the technical, civil society, and industry constituents. In effect, this is voting on the value of π - favoring a convenient law without regard to reality.
I don't have specific suggestions for ways you can incorporate this information in your letter. Personally, I appreciate that you're taking thought, time, and effort. To be totally cynical, your representative is probably already hearing from lobbyists and party whips about how to vote. It's likely that your message won't be read at all, just added to a tally of citizen voices for/against.
I'm not American, so can't really give any constructive criticism on anything you have said related to the bill itself, but your letter and argument against it reads very well IMO. So the only thing I can really think of to suggest would be to hand write the letter instead of just printing it on your computer or emailing it, as supposedly that makes it far more likely to actually be read once it arrives (by an intern at the very least, anyways).
Here is my representative's form letter response to my own advocacy against the bill.