Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills - Schneier on Security:
Two bills attempting to reduce the power of Internet monopolies are currently being debated in Congress: S. 2992, the American Innovation and Choice Online Act; and S. 2710, the Open App Markets Act. Reducing the power to tech monopolies would do more to "fix" the Internet than any other single action, and I am generally in favor of them both. (The Center for American Progress wrote a good summary and evaluation of them. I have written in support of the bill that would force Google and Apple to give up their monopolies on their phone app stores.)
There is a significant problem, though. Both bills have provisions that could be used to break end-to-end encryption.
Let's start with S. 2992. Sec. 3(c)(7)(A)(iii) would allow a company to deny access to apps installed by users, where those app makers "have been identified [by the Federal Government] as national security, intelligence, or law enforcement risks." That language is far too broad. [...]
Sec. 3(c)(7)(A)(vi) states that there shall be no liability for a platform "solely" because it offers "end-to-end encryption." This language is too narrow. The word "solely" suggests that offering end-to-end encryption could be a factor in determining liability, provided that it is not the only reason. [...]
In Sec. 2(a)(2), the definition of business user excludes any person who "is a clear national security risk." This term is undefined, and as such far too broad. It can easily be interpreted to cover any company that offers an end-to-end encrypted alternative, or a service offered in a country whose privacy laws forbid disclosing data in response to US court-ordered surveillance. [...]
Finally, under Sec. 3(b)(2)(B), platforms have an affirmative defense for conduct that would otherwise violate the Act if they do so in order to "protect safety, user privacy, the security of nonpublic data, or the security of the covered platform." This language is too vague, and could be used to deny users the ability to use competing services that offer better security/privacy than the incumbent platform—particularly where the platform offers subpar security in the name of "public safety." [...]
S. 2710 has similar problems. Sec 7. (6)(B) contains language specifying that the bill does not "require a covered company to interoperate or share data with persons or business users that...have been identified by the Federal Government as national security, intelligence, or law enforcement risks." This would mean that Apple could ignore the prohibition against private APIs, and deny access to otherwise private APIs, for developers of encryption products that have been publicly identified by the FBI. That is, end-to-end encryption products.
I want those bills to pass, but I want those provisions cleared up so we don't lose strong end-to-end encryption in our attempt to reign in the tech monopolies.
If you are a US citizen, just in case you want to express your opinion, don't forget that Senators love to hear from their constituents.
(Score: 4, Insightful) by Snotnose on Wednesday June 22 2022, @08:15PM (1 child)
As long as we send them big checks. Otherwise, STFU and never mind what we do behind the curtain.
I swear to $diety, if I ever hit the lottery first thing I'm gonna do is buy a congresscritter. Keep notes, and ensure when I die those notes and all the conversations I surreptitiously recorded make it to the public.
Cuz I no matter how they feel when first elected, once in Congress the machine take over and graft is the name of the game.
Question: How many congresscritters relied on parents/friends/gofundme sources of income, who, 10 years later were not multi-millionares. From insider trading, to flat out selling votes for $$$, after maybe 2 years in office every damned one of them is corrupt. Not the corrupt they apply to themselves, but the "if you don't pay $xxx protection next month your business will go up in flames" corrupt.
When the dust settled America realized it was saved by a porn star.
(Score: 1, Informative) by Anonymous Coward on Wednesday June 22 2022, @10:01PM
You might snag a dumb one, but mostly the corruption is done through legal channels. That is what Citizen's United was all about!
(Score: 3, Touché) by JoeMerchant on Wednesday June 22 2022, @08:26PM (5 children)
Laws can coerce large companies to not implement end-to-end encryption for their customers, but there is no law that can break end-to-end encryption.
Put another way: when end-to-end encryption is outlawed, only outlaws will use end-to-end encryption - and they'll do so easier than buying a .38 at a gun show.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @01:22AM (3 children)
The infrastructure is being put into place to prevent running software that is not blessed by a central authority. This would allow enforcing anti-encryption laws for the masses.
E.g., Microsoft's Pluton (that is being integrated into all the major brands' x86 CPUs; and the one vendor's ARM SoCs that are licensed to run windows), has as one of its features remote attestation. You are not required to use Pluton today, but in a much more likely future than many of us would like, its remote attestation of the software / user lockout state of the hardware you are running may be required for online banking, government websites, maybe other random sites due to "app stores" on the major platforms enforcing restrictions on all software in the "store"-- for your security, of course. Major mobile platforms are already able to enforce such a policy. Android safetynet, user having root causes safetynet to fail, blocking banking apps, etc. Google could add using an unapproved app (possibly employing unauthorized encryption) to trigger safetynet fail too. And, on iOS, you literally need to run an exploit to be able to access your hardware in a way that the ghost of Mr. Jobs hasn't approved of.
In such a world, yes, "only outlaws will use end-to-end encryption."
An observation. Once infrastructure is in place that can facilitate , it is only a matter of time until it is used to enable -- no matter how unpopular, distasteful, immoral, (currently) illegal, etc., is.
(Score: 2) by JoeMerchant on Thursday June 23 2022, @02:19AM (1 child)
>The infrastructure is being put into place to prevent running software that is not blessed by a central authority.
They can try, and they can get some mainstream (Intel, maybe AMD) hardware vendors on board.
I seriously doubt they will be outlawing ARM processors and open source software, at least not successfully.
🌻🌻 [google.com]
(Score: 2, Interesting) by Anonymous Coward on Thursday June 23 2022, @03:43AM
Most ARM processors already require closed-source blobs to run Linux, often tied to specific kernel builds, and any Windows compatible ARM device requires a Microsoft signed bootloader. They don't need to outlaw open source, just make it impossible to run non-approved versions.
(Score: 4, Informative) by tangomargarine on Thursday June 23 2022, @02:59AM
Oh, you mean like TPM and SecureBoot, which is already implemented and out there, that Microsoft just Double Pinky Promised they won't use to fuck us over and lock us out of other OSs?
Bend Over Here It Comes Again
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @02:50AM
Not yet, but all they have to do is order the ISP to block/redirect encrypted packets, and in the US they can do it secretly with an NSL (National Security Letter).
(Score: 5, Interesting) by rpnx on Wednesday June 22 2022, @09:33PM (5 children)
Fix the real problems. Patent abuse created these monopolies and hardware restrictions facilitate them.
1. Restore net neutrality.
2. Require hardware manufacturers to document their hardware.
3. Reduce technology patents to 10 years and increase fees to file a patent by 10x, with 80% refunded if your patent is accepted.
4. Require ISP to give symmetric speeds so people can host servers in their houses again. (this is HUGE)
5. Make it unlawful to be an ISP and content/information provider simultaneously, this is a huge conflict of interest between the needs of ISP customers/the public and the cable companies.
6. Make it unlawful for mobile service providers to enter into contracts with hardware providers, cell phone brands, etc (again, ISP conflict of interest).
7. Make it unlawful to treat laptops/hotspot data different from other mobile data (except emergency calls).
8. Subsidize FCC testing.
9. Allow a locked bootloader/os if the user can disable it. Like most android do. Otherwise disallow.
10. Since people can now choose an OS, don't restrict how the OS operates except according to existing antitrust law.
(Score: 1) by rpnx on Wednesday June 22 2022, @09:54PM (2 children)
I don't like them because they don't fix the real issues. And there needs to be carve outs for curated app stores. The fact is, app curation is important. I'm totally down for requiring the hardware to be open though. While I think Apple shouldn't be able to shut down app store competitors, allowing Apple to curate the App Store is a good thing.
Now, when Google, for example, pays companies to exclude other app stores, or Apple makes it impossible to sideload other apps or App Stores, THAT is anticompetitive IMO. Normally the solution to that would be "roll your own OS", but the cozy relationship between the established OS companies and their hardware vendors and cellular providers has made that pretty impossible.
Require hardware vendors to document their shit and and mobile providers not to discriminate against certain devices, and the other problems will resolve themselves.
(Score: 1) by rpnx on Wednesday June 22 2022, @09:57PM (1 child)
Example: Why nobody uses Manjaro/Ubuntu Touch: "We're still working on getting Wifi working on this phone, the hardware vendor wont share documentation with us". Or "sleep doesn't work on X cpu". Or "MMS on this phone doesn't work on Sprint with our OS, we can't fix it because Sprint requires blob X".
That is why there are no competitors.
(Score: 0) by Anonymous Coward on Saturday June 25 2022, @05:54PM
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @02:17AM
Two words, Common Carrier
(Score: 2) by loonycyborg on Thursday June 23 2022, @11:55AM
Not so huge if you only want to host a simple website. In fact, it's mostly about having a public IP.
(Score: 4, Funny) by unauthorized on Wednesday June 22 2022, @10:33PM (2 children)
Oh look, another example of how the evil authoritarian Chinese regime is trying to censor free speech!
(Score: -1, Troll) by Anonymous Coward on Wednesday June 22 2022, @10:55PM (1 child)
considering how many u.s. politicians are bought and paid for by the chinese, it's hard to tell. fang, fang, bang, bang says "hai!"
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @02:00PM
At least this would give an end to the myth that the chinese are cheap.
(Score: 2) by tangomargarine on Thursday June 23 2022, @02:56AM (2 children)
I'm kind of tempted to suggest the response to this constant practice of attaching complete horseshit riders to actually useful legislation in order to ram it down our throats ("oh, we can't actually use any of our shenanigans to prevent you getting this law you actually want? okay, just let us attach 3 things you hate to it in the process to make ourselves feel better about it") of just voting down any law they do the practice with. (Obviously would be a judgment call how odious any given rider is.) We'll just stay here until you can behave reasonably.
...But now I'm picturing politicians just purposely attaching such a rider to any bill they don't want to see passed in order to get it shot down.
Man, fuck politicians.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2, Interesting) by Anonymous Coward on Thursday June 23 2022, @03:49AM
Already SOP. They even do it with their own bills that they know their constituents want but that Wall Street or the three-letter-soup doesn't. That way they can get up and beat their chests about how they supported Bill X but the evil $OTHER PARTY threw it out. Both sides do it, but you only ever hear about the poison pills if you watch the other side's 'news'.
(Score: 0) by Anonymous Coward on Saturday June 25 2022, @06:01PM
I guess the truth is only a tiny/near nonexistent minority really hate the bills and the congress critters that much. There are more who hate school kids and teachers.
Guess the "education" system/culture is that bad...
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @11:38AM
https://en.wikipedia.org/wiki/Sherman_Antitrust_Act_of_1890 [wikipedia.org]
That would violate a major rule.
Never waste a crisis to further some other agenda.
Generally with the effect of the bill opposite what the title implys.
'American innovation and choice online act.'
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @12:14PM (1 child)
I am constantly told by Soylentils that the government must be given more power in its beneficence to personally help me because they love me. Govt is the atheists' Jesus.
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @02:08PM
I don't see you using that gun you keep under your pillow to a good use in this particular case though.
(Score: 0) by Anonymous Coward on Thursday June 23 2022, @08:27PM
...It's all theater. The game has been rigged for a long time. Occasionally, some good stuff happens. It doesn't seem like it happens due to media attention and popular opinion, though. The good stuff that happens, is likened to, when the tyrannical, say, has a soft spot for fine music and dance. When that happens, he makes a few concessions, and the people, though oppressed, get to dance and sing for a little while; but, only for as long as they don't piss of the despot, which, happens eventually.
The norm, however, is to manufacture problems, so pre-concluded decisions can be forced in under the fake, but legitimate appearing pretext required to convince people. And if the problem isn't manufactured outright, which it may not be, it will be an opportunistic crisis to sneak in the stuff THEY want to see legislated; but, that, otherwise, they'd have a tough time convincing anyone of.
SSDD...
I think the best we can do is try to be kinder people, more educated, more informed, more tolerant. As for voting and government... eh... Don't let it ruin your day..