LAED loopholes: unaffiliated entities, on-device data
I got the PDF from this shady docdroid link which opens an ad to install a chrome extension anytime I click on anything, which I found via stanford cyberlaw’s LAED article.
The interesting parts here are the ‘unaffiliated entity’ discussion and the apparent ‘local data’ loophole for OSs (see ‘remote data only’ section).
- Manufacturers, OS vendors, and platforms must
- Unaffiliated entity
- Ensure ability to provide assistance
- Loophole: for OSs, remote data only
- ‘Technically impossible’ objection permitted sometimes
- Striking
- Criminal anonymity
- Lawless space
- Prize competition
- Authenticating law enforcement requests
- What’s missing: 1st amendment considerations
Manufacturers, OS vendors, and platforms must
This bill lets the AG:
order a device manufacturer, an operating system provider, a provider of remote computing service, or another person to furnish all information, facilities, and assistance necessary to access information stored on an electronic device or to access remotely stored electronic information, as authorized by the search warrant.
This only applies to vendors with 1M annual device sales or 1M MAU.
It also requires these entities to build the technical capability to comply with these requests, unles … (read on).
Unaffiliated entity
decrypting or decoding information on the electronic device or remotely stored electronic information that is authorized to be searched, or otherwise providing such information in an intelligible format, unless the independent actions of an unaffiliated entity make it technically impossible to do so
this ‘unaffiliated entity’ language is going to be important – enter the age of 3rd party encryption providers
is an app publisher who publishes on the app store ‘affiliated’ with apple?
Ensure ability to provide assistance
shall ensure that the manufacturer has the ability to provide the assistance described in subsection (b)(2) for any consumer electronic device that the manufacturer
Note ‘ensure the ability’.
Loophole: for OSs, remote data only
A provider of remote computing service or operating system provider that provided service to more than 1,000,000 subscribers or users in the United States in 2016 or any calendar year thereafter, or that has received an assistance capability directive under section 3513, shall ensure that the provider has the ability to provide the assistance described in subparagraphs (A) and (B) of subsection (b)(2) for any remotely stored data that the provider processes or stores.
Not sure if this is an intentional hole or not but OS providers are not being asked to provide decryption assistance for data stored on the device.
Maybe the assumption here is, as per apple, that the hardware manufacturer and the OS vendor are the same company? Or that there’s no real way to enforce what software people run on their home computers. I don’t like that this loophole isn’t explicit, but I do like that it exists.
Remote storage: are we going to ban storage of raw unscanned bytes?
‘Technically impossible’ objection permitted sometimes
One of the grounds under which ISPs (‘communication providers’, ‘data in motion’ section) can object to a demand in the DC circuit court:
the person filing the petition demonstrates, by clear and convincing evidence, that it is technically impossible for the person to make any change to the way the hardware, software, or other property of the person behaves in order to comply with the directive
Note this is the wiretap section of the bill, not the ‘ensure that the provider has the ability to provide the assistance’ stuff for gear vendors above. The ‘ability’ requirement doesn’t have a ‘technically impossibly’ objection built in. (Though the law, in general, likely does).
Striking
Section 3127 of title 18, United States Code, is amended—
(1) in paragraph (5), by striking ‘‘and’’ at the end;
(2) in paragraph (6), by striking the period at the end and inserting ‘‘; and’’; and
describe your favorite movie but as boring as possible
Criminal anonymity
If not addressed, criminal anonymity actuated by end-to-end encryption technology will continue to pose a serious risk to the public.
This is the line for me.
‘criminal anonymity’ (in addition to being a good band name) is an interesting phrase because:
- is it saying that anonymity itself is criminal? or that anonymity by criminals is a bad thing
- decrypting message contents isn’t necessarily the same issue as anonymity; this ignores a deep history of legislation and case law about warrants and gov access to ‘envelope metadata’ vs contents
Lawless space
Congress finds the following:
The rapidly growing use of warrant-proof encryption in everyday devices, platforms, and systems allows illegal actors engaged in dangerous criminal activity – including child sexual abuse, terrorism, and international narcotics trafficking – to use encryption to shield their illicit activities from authorities.
- ‘warrant-proof encryption’ i.e. encryption as it exists in the real world today. Misleading to state it this way and the press should call them out on it – phrasing it this way is demagogy which is part of their job, yes, but it also reveals a lack of familiarity with the technology.
- Terrorism and drug trade are different from sex trafficking. Organizing human trafficking requires recruiting victims, and you can make an argument that it happens on online platforms. But organizing other forms of crime is criminal-to-criminal, it will move off platforms instantly when E2E goes away.
Re trafficking, yes this is a big deal. I don’t have a finished argument about this, other than that we need to understand the size of the problem, and the tradeoffs between backdoor encryption vs IRL for enforcement.
And that Bill Barr is probably not the person to listen to on this.
Here’s my nightmare scenario – the recruitment of trafficked people is primarily offline, law enforcement insiders know this, and they’re completely exaggerating about the role of social networks.
Why isn’t envelope data (who’s talking to who) enough to solve these crimes? Or at least to identify suspects and get us physical evidence.
I’m open to being convinced on this topic. I read some NCMEC paper which was not a good explainer.
Because of warrant-proof encryption, the government often cannot obtain the electronic evidence and intelligence necessary to investigate and prosecute threats to public safety and national security, even with a warrant or court order. This provides a ‘‘lawless space’’ that criminals, terrorists, and other bad actors can exploit for their nefarious ends.
This statement is flawed. A ‘bad dudes’ argument: (I use ‘dudes’ in the gender-neutral sense). Are you saying that making encryption a crime will deter people from using it who are already breaking the law by trafficking in narcotics and children?
‘Lawless space’ is an interesting phrase. Is this a space that has always been lawless? ‘Private sphere’ is a synonym for ‘lawless space’. Three chakras ago that was a good thing.
The Australian government just released a paper called ‘trust but verify’ (‘doveryai no proveryai’, a favorite reaganism) which uses the phrase ‘ungovernable space’:
no country which operates under the rule of law … can countnenace the creation of ungovernable spae, free from the rule of law (this is from the AU paper, not the bill).
‘Creation’ is the flaw in this sentence. Privacy isn’t something new. We’ve always had ungovernable space – governments are asking us to let them in.
legitimate need for the government to gain access to the most inti8 mate spaces in citizens’ lives in order to protect the public from criminal actors.
I agree with everything here except strike ‘legitimate’ and change ‘protect’ to ‘subject’.
Prize competition
Pursuant to legal process
More resources should be devoted to incentivizing the best minds in the United States to research the issues described in this section and decide how to best provide the most secure products and services to customers while also providing law enforcement access to information the government needs to investigate criminals seeking to do the public harm and to protect national security.
(1) to incentivize and encourage research and innovation into solutions providing law enforcement access to encrypted data pursuant to legal process;
‘pursuant to legal process’ is interesting – if the technology doesn’t somehow enforce due process, will service providers point to this and refuse implementation?
Would be interesting if this requirement led us to a system that made it difficult to use the without notfiying the person who’s being tapped. I don’t think the DOJ would tolerate this (they don’t want this much transparency), and I’m not sure it’s technically possible, but it would ease a lot of fears of abuse.
Interestingly, the obligation to ensure access is in no way contingent on the success of the prize competition.
Broad surveillance, slippery slope
(2) reducing or eliminating broad surveillance capabilities not targeted at specified facilities or individuals pursuant to a warrant or order within the lawful access solution.
Slippery slope strategy here; if my goal were to conduct broad surveillance J Hoover style, I’d start with this innocuous version.
The question isn’t ‘does this explicity enable broad surveillance’ but rather ‘does this incrementally enable tyranny, with minor other benefit to society’.
Not open source?
In implementing the prize competition, the Attorney General shall— … (7) protect against unauthorized use or disclosure of any trade secret or confidential business information of a participant
Does this mean the algo need not be open sourced?
Authenticating law enforcement requests
The Attorney General shall work with providers and law enforcement agencies from Federal, State, and local systems to identify options for, and develop, a system for verifying that an individual requesting data from a provider is a law enforcement official entitled to such access pursuant to lawful authority.
This is interesting separately from LAED – we should use technology to identify law enforcement officers and to provide a ‘receipt system’ or record system for how they use their power.
What’s missing: 1st amendment considerations
As always with the warrant-proof encryption debate this is concerned with weakening the 4th amendment and not thinking about the 1st.
Are we going to ban the publication of software that enables encryption? I’m not even talking about sale, just OSS on github. If we don’t, what stops private citizens from using that software?