The U.S. government and tech companies continue to butt heads over the idea of encryption and what that means for law enforcement.

Encryption expert Riana Pfefferkorn believes new proposed laws – the EARN IT Act and the Lawful Access to Encrypted Data Act – pose dire threats to cybersecurity and privacy.

In this Threatpost interview, Pfefferkorn, who is associate director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, lends valuable insight as to why proposed legislation is a “full-frontal nuclear assault on encryption in the United States.”

“I think we’re at a point where there is a rising tide around the world of threats to encryption and threats to our online freedoms more generally,” Pfefferkorn told Threatpost. “And it’s going to become more and more difficult, both as a regulatory atmosphere and as normative matter for companies to continue holding the hardline and saying, we cannot afford to go backwards on cybersecurity in light of the kinds of data breaches, information attacks and ransomware we face right now in the world.”

Below is a lightly edited transcript of the interview.

**Lindsey O’Donnell-Welch: **Hi, everyone, this is Lindsey O’Donnell Welch with Threatpost and I am joined today by Riana Pfefferkorn, the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society. Riana, thank you so much for joining us today.

Riana Pfefferkorn: Thank you for having me.

LO: So just for all of our viewers, Riana’s work focuses on investigating and analyzing the U.S. government’s policy and practices for forcing decryption and influencing crypto-related design of online platforms and services, both via technical means and through the courts and legislators. And so that is very applicable for what we’re talking about today, which is a recently introduced bill called the Lawful Access to Encrypted Data Act. And that was introduced in June and Riana I want to talk to you a little bit about this, but this bill argued that the ending of the use of “warrant proof encrypted technology” would “bolster national security interests, and better protect communities across the country.” Now, this has generated a lot of backlash from the security and from the privacy space. And I know that you had many thoughts about this as well. So can you talk to me a little bit about what specifically this bill is and kind of what the fine print is for it, and really what it consists of?

**RP: ** Sure. So what this bill does is that it would amend the various parts of the existing framework that we have for the issuance of warrants under federal statute and the issuance of other types of surveillance orders. In the past it has not been clear within the scope of those laws, whether the government could force a company to decrypt information or provide other technical assistance in order to provide access to the plain text of encrypted data. We’ve seen a couple of court decisions saying no, the existing laws do not go so far as to do what it is that you are asking to do, for example, in the Apple versus FBI San Bernardino case involving a warrant to get into a locked phone. So the goal of this bill, as I see it, is to clarify by making additions and amendments to those laws to that statutory framework, so that rather than relying upon the arguments that the Department of Justice and the FBI have made in recent years to say “these existing laws allow us to get what we want in terms of decrypting data.” Now, this is an admission, “okay, those laws don’t do that.” And therefore, there needs to be amendments to make that more clear. So this would specifically say that for providers of online services -so that could be pretty much anybody. It could be websites, it could be email, it could be social media. It could be apps and so forth – they would have to decrypt data upon demand. If you are a smaller provider with under a million users or customers or devices sold annually in the U.S., you will be subject to receiving a capability notice from the Attorney General saying build a decryption capability for us to get into your service or your device. If you have more than a million monthly active users or devices sold in the United States, annually, etc, then you would have to proactively redesign your products, your service in order to have a decryption capability, so that if and when you do receive a warrant or a wiretap order, etc., then you will already have the ability to decrypt that information for law enforcement. So this is a significant escalation from what we have seen in the encryption debate in recent years, where as I said, it’s mostly been relying upon interpretations of existing language and laws on the books and sort of novel stretching the envelope with regard to what those laws might say. And we have not yet seen any as overt bills as this that directly go to saying encryption out loud.

#government #newsmaker interviews #videos #apple #backdoor #earn it #encryption #fbi #government #lawful access to encrypted data act

Encryption Under ‘Full-Frontal Nuclear Assault’ By U.S. Bills
1.40 GEEK