Security News

Kinda sorta weakened version of EARN IT Act creeps closer
2020-07-08 10:46

Now that the EARN IT Act has crept closer to a full Senate hearing, we're that much closer to finding out whether the bill can really help stem the flood of online abuse material, whether it's a barely veiled attack on online privacy and end-to-end encryption, or all of the above. Senator Richard Blumenthal claimed that the bill "Is not about encryption and it never will be." The other co-sponsor, Senator Lindsey Graham, said that his goal "Is not to outlaw encryption".

You may be distracted by the pandemic but FYI: US Senate panel OK's backdoors-by-the-backdoor EARN IT Act
2020-07-06 20:42

An amended version of America's controversial proposed EARN IT Act has been unanimously approved by the Senate Judiciary Committee - a key step in its journey to becoming law. Concerns over the law being used to force tech companies to introduce encryption backdoors led to an amendment [PDF], put forward by Senator Patrick Leahy, that stated online platforms won't face civil or criminal liability if they are unable to break end-to-end encryption in their own services.

Signal: We’ll be eaten alive by EARN IT Act’s anti-encryption wolves
2020-04-15 10:00

Understandably, the end-to-end encrypted messaging app Signal has been signing up new users at "Unprecedented" rates and flipping the switch on servers "Faster than we ever anticipated," Signal's Joshua Lund said last week. At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee 'best practices' that are extraordinarily unlikely to allow end-to-end encryption.

Signal sends smoke, er, signal: If Congress cripples anonymous speech with EARN IT Act, we'll shut US ops
2020-04-09 20:09

Secure messaging app developer Signal says its US operation hangs in the balance due to a proposed law in America. "Some large tech behemoths could hypothetically shoulder the enormous financial burden of handling hundreds of new lawsuits if they suddenly became responsible for the random things their users say, but it would not be possible for a small nonprofit like Signal to continue to operate within the United States," Signal's Joshua Lund said.

EARN IT Act threatens end-to-end encryption
2020-03-13 13:12

For years, Naked Security and Sophos have said #nobackdoors, agreeing with the Information Technology Industry Council that "Weakening security with the aim of advancing security simply does not make sense." EARN IT is a bipartisan effort, having been introduced by Republican Lindsey Graham, Democrat Richard Blumenthal and other legislators who've used the specter of online child exploitation to argue for the weakening of encryption.

2020-03-13 11:20

The reason for this is, whilst it's easy enough to design a keyboard and display system on a "Secure token" that you can use as easily as a smallish mobile phone, the real usabiliry problem is getting the various plain/cipher texts in and out of the device into the communications channel end point device without compromising the "Secure token" by extending the communications channel into it via a side channel of some form. Then there are a whole load of other hardware level Shannon Channels for "Signaling" including in some cases "Break" on the basic Tx-Rx channels.

Don't be fooled, experts warn, America's anti-child-abuse EARN IT Act could burn encryption to the ground
2020-03-06 22:17

On Thursday, a bipartisan group of US senators introduced legislation with the ostensible purpose of combating child sexual abuse material online - at the apparent cost of encryption. The law bill is called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which folds up into the indignant acronym EARN IT. Backed by senators Lindsey Graham, Richard Blumenthal, Josh Hawley and Dianne Feinstein, the proposed law intends to make technology companies "Earn" their exemption from liability allowed under Section 230 of the US Communications Decency Act by requiring internet companies to follow a set of best practices to keep CSAM off their networks.