| > The latter is protected by the Fifth Amendment right against self incrimination, in the same way as sharing knowledge verbally. ... If the latter, however, then there is no legal way for law enforcement to force you to decrypt the device. Not exactly. Yes, revealing the combination requires the person to implicitly admit that they know the what the combination is. But if the government can prove that they already know this "testimony" -- which they can in most cases -- then the "foregone conclusion" doctrine applies and the 5th Amendment privilege cannot be asserted. See, for example, the Massachusetts Supreme Court's decision in Commonwealth v. Jones. [1] There is also conflicting 11th Circuit precedent that further requires the government to establish with "reasonable particularity" what is on the encrypted device. [2] In my opinion this is not correct; the contents of the drive have nothing to do with the testimonial value of the combination. In any event, this issue will eventually need to be resolved at the Supreme Court. > I think it is unreasonable because it's asking companies to willfully violate their user's privacy and trust, and to severely undermine encryption as a whole. There is zero chance that this does not get abused. I don't see how it violates user privacy or trust. In general, you don't have the right to keep records secure from law enforcement if they have a warrant. If this law is passed, these companies should simply disclose to their customers that they will provide law enforcement with the means to decrypt their data, as many already do. I also don't see how it severely undermines encryption. Yes, end-to-end encryption is more secure, but it's not the industry norm. Security is relative, but I wouldn't call Gmail "insecure" just because Google allows law enforcement to read emails with a warrant. [1] https://www.socialaw.com/services/slip-opinions/slip-opinion... [2] https://www.eff.org/files/filenode/opiniondoe22312.pdf |
That's fascinating, thank you for sharing! That helps make my point, though, that the legal framework for handling encryption already exists and just needs to be clarified a little bit, instead of making new, far-reaching laws with serious implications on the landscape.
> I don't see how it violates user privacy or trust. In general, you don't have the right to keep records secure from law enforcement if they have a warrant. If this law is passed, these companies should simply disclose to their customers that they will provide law enforcement with the means to decrypt their data, as many already do.
It will get abused. Just like wire tapping got abused, just like NSA surveillance got abused. Furthermore, having a master key floating around means that at some point, inevitably, a foreign government or organization will get ahold of it. If this were implemented correctly—over a special, secure channel that only law enforcement could access (with a warrant!)—that would be mostly harmless, but I simply don't trust our government and businesses to implement anything correctly that has to do with the privacy and security of user data. There have simply been too many previous violations.
> I also don't see how it severely undermines encryption. Yes, end-to-end encryption is more secure, but it's not the industry norm. Security is relative, but I wouldn't call Gmail "insecure" just because Google allows law enforcement to read emails with a warrant.
But the issue with bills like the EARN IT Act is that they make end-to-end encryption completely infeasible for any company to implement. That's the problem: you can't even have E2EE in the first place if it passes, because it conflicts with the requirement to allow law enforcement to be able to read messages.