Senator Blumenthal has issued a call for the FTC to investigate Zoom’s security, illustrating a schism within the government over the issue of encryption.
Few issues have polarized politicians, scientists, researchers and citizens as much as end-to-end encryption. Many officials, including multiple FBI directors, have warned that strong encryption makes it nearly impossible to properly investigate cases and contributes to criminals “going dark.” Others, such as Senators Ron Wyden and Rand Paul, have been staunch proponents of strong encryption. Similarly, mathematicians and security experts have repeatedly made the case that strong encryption cannot have backdoors or built-in weaknesses and still offer the necessary protection.
Currently, the biggest threat to encryption in the U.S. is the upcoming EARN IT Act. The bill is designed to combat online sexual exploitation of children. While absolutely a worthwhile goal that should be a priority for companies, governments and individuals alike, the bill is a pandora’s box of uncertainty when it comes to encryption. The bill addresses protection under Section 230 of the Communications Decency Act, wherein companies are not held liable for things people say or do on their communications platforms.
Under the proposed EARN IT Act, in order to maintain their protected status under Section 230, companies would need to comply with vague “best practices” established by a committee. This committee, and the U.S. Attorney General, would have wide discretion to determine what those “best practices” are. So what happens if the Attorney General is William Barr, an individual who has voiced staunch opposition to end-to-end encryption? Might “best practices” include the requirement that companies build in backdoors? Very likely.
Backers of the bill, have said the bill is not an attack on encryption and that necessary safeguards are in place. However, nearly every expert who has reviewed the bill has arrived at a completely different conclusion, and believe the bill will absolutely lead to an all-out attack on encryption.
Should that happen, many companies will have to choose between weakening their encryption, and thereby endangering their users, or move their businesses outside the U.S. One example is the encrypted messaging app Signal, ussed by the U.S. military, as well as senators and their staff. Signal developer Joshua Lund made it clear (an excellent read) the app will likely no longer be available in the U.S. if EARN IT passes.
What makes this story all the more interesting is a recent tweet by Senator Richard Blumenthal, one of the sponsors of the EARN IT Act:
I am calling on FTC to investigate @zoomus. Zoom’s pattern of security failures & privacy infringements should have drawn the FTC’s attention & scrutiny long ago. Advertising privacy features that do not exist is clearly a deceptive act.
The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.
Richard Blumenthal (@SenBlumenthal) April 7, 2020
One of the biggest privacy and security issues with Zoom is the fact that it advertised end-to-end encryption, but failed to deliver. Based on Senator Blumenthal’s tweet, the message is clear: end-to-end encryption is a wonderful thing for government officials, so long as said government officials can still spy on the average citizen.
In other words, the U.S. government is stuck in a strange dichotomy where it wants to punish companies for not supporting end-to-end encryption, while at the same time undermining and legislating backdoors in that very encryption.