Bill Aimed at Ending 'Warrant-Proof' Encryption Introduced in House:
Referred to as the Lawful Access to Encrypted Data Act, the bill aims to put a stop to criminals using “warrant-proof encryption and other technological advances” to hide their activity from authorities, Congresswoman Ann Wagner (R-MO), who introduced the bill, said.
“It is time tech companies stand with criminal investigators and the public to make clear they are committed to rooting out perpetrators who use their services to commit horrific crimes. As the digital world advances, so must our legislative solutions to investigate crimes that hit hardest the most vulnerable in our society,” Rep. Wagner commented.
Law enforcement agencies have long argued that strong encryption hinders their ability to conduct successful investigations in certain cases, often asking for backdoors that would provide them fast access to data of interest, but tech companies have opposed these requests, arguing that backdoors would introduce serious security and privacy risks.
The legislation would require tech companies to provide authorities with access to encrypted user data, while also stating that the Attorney General would report on which companies can comply. Furthermore, the government would offer compensation to companies that comply with the legislation.
Previously:
(2020-07-07) US Senate Panel OK's EARN IT Act
(2020-06-27) Senators Introduce "Balanced" Bill That Aims to End Warrant-Proof Encryption
(2020-06-11) Plundering of Crypto Keys From Ultrasecure SGX Sends Intel Scrambling Again
(2020-06-06) Zoom Says Free Users Won't Get End-to-End Encryption so FBI and Police Can Access Calls
(2020-05-19) AG Barr Seeks 'Legislative Solution' to Make Companies Unlock Phones
(2020-05-19) FBI Successfully Broke Into a Gunman's iPhone, but Still Very Angry at Apple
Related Stories
AG Barr seeks 'legislative solution' to make companies unlock phones:
ACLU Senior Staff Attorney Brett Max Kaufman responded to [US Attorney General] Barr's comments, saying "Every time there's a traumatic event requiring investigation into digital devices, the Justice Department loudly claims that it needs backdoors to encryption, and then quietly announces it actually found a way to access information without threatening the security and privacy of the entire world. The boy who cried wolf has nothing on the agency that cried encryption." While Barr's push for backdoors and cooperation from phone manufacturers raises concerns, Kaufman's response doesn't address that the DoJ isn't seeking the ability to unlock phones, but to do so as quickly as possible.
Apple's refusal to work with law enforcement has been an issue for years. The company wants to ensure its users feel confident in trusting Apple with their data, yet police and the FBI say that the refusals to cooperate hinder investigations and put lives at risk. It sounds like Barr wants to put a system into law that would oblige Apple to comply in future cases. How realistic this plan is -- or how much buy-in from politicians it will get -- remains to be seen, though it would force Apple to rethink how it approaches user privacy.
The FBI Successfully Broke into a Gunman's iPhone, but Still Angry at Apple:
After months of trying, the FBI successfully broke into iPhones belonging to the gunman responsible for a deadly shooting at Pensacola Naval Air Station in December 2019, and it now claims he had associations with terrorist organization al-Qaeda. Investigators managed to do so without Apple's help, but Attorney General William Barr and FBI director Christopher Wray both voiced strong frustration with the iPhone maker at a press conference on Monday morning.
Both officials say that encryption on the gunman's devices severely hampered the investigation. "Thanks to the great work of the FBI — and no thanks to Apple — we were able to unlock Alshamrani's phones," said Barr, who lamented the months and "large sums of tax-payer dollars" it took to get into devices of Mohammed Saeed Alshamrani, who killed three US sailors and injured eight other people on December 6th.
Apple has said it provided investigators with iCloud data it had available for Alshamrani's account and other technical assistance, though it wasn't enough to bypass the encryption of Alshamrani's iPhones. So authorities spent many weeks trying to break in on their own.
Zoom says free users won't get end-to-end encryption so FBI and police can access calls:
Video calling company Zoom confirmed this week that it won't enable end-to-end encryption for free calls in part because it wants to give law enforcement access to these calls if necessary. "We think this feature should be a part of our offering" for professional customers, said Zoom CEO Eric Yuan in a meeting with investors Tuesday. "Free users — for sure we don't want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose."
Encryption is a key issue for Zoom, which has been attempting to beef up its privacy and security after heavy usage exposed weak points during the COVID-19 pandemic. Reuters reported last week that the company will only roll out high-security end-to-end encryption to paying customers, potentially with exceptions for dissident groups or nonprofits that require the added security.
Plundering of crypto keys from ultrasecure SGX sends Intel scrambling again:
On Tuesday, two separate academic teams disclosed two new and distinctive exploits that pierce Intel's Software Guard eXtension, by far the most sensitive region of the company's processors.
Abbreviated as SGX, the protection is designed to provide a Fort Knox of sorts for the safekeeping of encryption keys and other sensitive data even when the operating system or a virtual machine running on top is badly and maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.
Key to the security and authenticity assurances of SGX is its creation of what are called enclaves, or blocks of secure memory. Enclave contents are encrypted before they leave the processor and are written in RAM. They are decrypted only after they return. The job of SGX is to safeguard the enclave memory and block access to its contents by anything other than the trusted part of the CPU.
Graham, Cotton Introduce Yet Another Attempt to Torpedo Encryption
Graham, Cotton introduce yet another attempt to torpedo encryption:
On Tuesday, Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.), and Marsha Blackburn (R-Tenn.) introduced yet another bill attempting to poke holes in data encryption, called the Lawful Access To Encrypted Data Act. This bill follows previous US efforts to weaken encryption, including March's proposed EARN IT Act and demands made by US Attorney General William Barr in his 2019 keynote address at the International Conference on Cyber Security.
A press release from the Senate Judiciary Committee—which is chaired by Graham—describes the bill as "a balanced solution that keeps in mind the constitutional rights afforded to all Americans, while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security." It goes on to emphasize—in both bold and italic text—that the bill would "only" require service providers to grant law enforcement a back door after a court issues a warrant.
Graham expresses his personal position in strong terms:
Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate [...] tech companies have refused to honor [court orders] and assist law enforcement in their investigations. My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans.
Unfortunately, as is typical for these resolutions, Graham's expressed ideas don't adhere to technological reality. In order for a service provider to "honor and assist" law enforcement investigations in the way Graham demands, it would necessarily—and fatally—have to compromise the very encryption it offered in the first place. This would apply to every consumer the provider services (American or otherwise), whether a warrant were issued or not.
Encryption doesn't work that way
You may be distracted by the pandemic but FYI: US Senate panel OK's backdoors-by-the-backdoor EARN IT Act
An amended version of America's controversial proposed EARN IT Act has been unanimously approved by the Senate Judiciary Committee – a key step in its journey to becoming law. This follows a series of changes and compromises that appear to address critics' greatest concerns while introducing fresh problems.
The draft legislation [PDF] is nominally supposed to help rid the web of child sexual abuse material (CSAM) by altering Section 230 of the Communications Decency Act, which strongly shields websites and apps, like Facebook and Twitter, from liability regardless of whatever their users share on those platforms, plus or minus some caveats. The proposed law rather ignored the fact that Section 230 already doesn't protect internet giants if their netizens upload illegal content, though.
Initial drafts of the law also contained two proposals that raised serious concerns from a broad range of groups and organizations. Firstly, the creation of a new 19-person committee that would be led by the Attorney General and dominated by law enforcement which would create content rules that tech companies would have to follow to retain legal protections. Secondly, and the suggestion that has security folks up in arms, is that those rules could require tech companies to provide Feds-only access to encrypted communications.
The idea is that companies would have to "earn" their legal shield – hence the name of the bill, EARN IT – by following the best practices created by the committee.
Following significant pushback on those points, the Judiciary Committee made changes aimed at gaining the full approval of all its members. In the now-OK'd version of the bill, the commission, called the National Commission on Online Child Sexual Exploitation Prevention, would still create its rules but it would be "voluntary" for online platforms to follow them. Instead, if tech companies did follow the commission's rules, it "would be a defense in any civil suit," said committee chair Lindsay Graham (R-SC).
Concerns over the law being used to force tech companies to introduce encryption backdoors led to an amendment [PDF], put forward by Senator Patrick Leahy (D-VT), that stated online platforms won't face civil or criminal liability if they are unable to break end-to-end encryption in their own services.
Taken together, the amendments are intended to attract wide congressional support for the bill, and pave the way to open up Section 230. And in this instance, it worked, with the committee green-lighting the revised version by 22-0 votes on Thursday, allowing it to progress a little further toward the statute books.
However, privacy advocates and tech titans, as well as some lawmakers, remain strongly opposed to the law. For one, the proposed commission will not be made up of elected officials, and will still be able to create rules that do not need congressional approval, putting an extraordinary amount of censorship power into the hands of very few people with limited accountability.